Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

SOC 2 Type 2 compliance reporting is becoming much more common these days, due in large part to the continued growth of technology oriented service organizations requiring regulatory audits.  The old days of a one-size-fits all standard – hence SAS 70 – are long gone, so say hello to SOC 2 Type 2 compliance and the following five (5) important points you need to know about, provided by NDNB Accountants & Consultants, a nationally recognized audit and compliance CPA firm.

1. SOC 1 vs. SOC 2.  SOC 1 SSAE 16 assessments are those generally conducted on service organizations with a clear nexus with financial reporting, while SOC 2 assessments are targeted more towards technology oriented service organizations.  This is due to the technical and prescriptive language offered by the American Institute of Certified Public Accountants (AICPA) - developers of the SOC standards.  Even with that said, you’ll find many technology companies being issued SOC 1 reports.  Additionally, SOC 2 reporting is becoming quite well-known and is being received favorably in the marketplace, a clear break from its recent obscurity. 

2. SOC 2 Reporting and the Trust Services Principles (TSP).   SOC 2 Type 2 Compliance entails the use of what’s known as the Trust Services Principles (TSP) – a set of professional attestation and advisory services containing essential criteria based information for assessing service organizations. Unlike SOC 1 reporting, which uses control objectives, SOC 2 Type 2 reporting is thus “criteria” based.  Additionally, there are five (5) Trust Services Principles which can be used for reporting, which consist of the following:

• Security: The system is protected, both logically and physically, against unauthorized access.

• Availability: The system is available for operation and use as committed or agreed to.

• Processing Integrity:  System processing is complete, accurate, timely, and authorized.

• Confidentiality:  Information that is designated “confidential” is protected as committed or agreed.

• Privacy:  The service organization’s privacy policies and practices.

3. Type 1 vs. Type 2.  In the never-ending alphabet soup of regulatory compliance, it’s important to distinguish between SOC 2 Type 1 assessments and SOC 2 Type 2 assessments. For an ounce of clarity, just remember that SOC 2 Type 1 reports are issued for a specific date, such as August 27, 20xx, while SOC 2 Type 2 reports cover what’s fundamentally known as a “test period”, which is generally a minimum of six (6) months. For purposes of growing regulatory compliance mandates, most clients will request that service organizations undertake an actual SOC 2 Type 2 assessment, as it ultimately provides greater evidence of one’s internal control environment. 

4. Obtain a Fixed Fee with all Supporting Documents.  The key to undertaking SOC 2 Type 2 compliance in an efficient and cost-effective manner is obtaining a fixed fee from a well-skilled CPA firm, and one that also offers all necessary information security expertise. Remember, SOC 2 Type 2 compliance is heavily dependent upon validating a service organization’s procedures, and related processes. Expect SOC 2 Type 2 compliance to continue to expand and grow in the coming years as more technology-minded businesses opt for this type of reporting.  Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance.

Since 2006, NDNB has been setting the standard for security & compliance regulations