So, your customer or client asked you for a SOC 2 report... now what? What exactly is it? Why do you need it? And how do you get it?
What is a SOC 2 report?
A SOC 2 report is an attestation by a certified public accountant (CPA) stating that your organization meets the industry security standards outlined in the official SOC 2 guidelines by the AICPA.
The report, typically requested by a prospective customer or client, is there to help them confirm that your company's security complies with or exceeds industry standards. Or, in other words: you're safe to work with. That their data, their customers, their systems, are protected.
There are two types of SOC 2 reports:
SOC 2 Type 1 is a point-in-time report. This means the auditor checks your security at a single point in time. Are you secure today? A type I report would ask an auditor to check your security for that particular moment.
This report is a great way to check and make sure all the security measures you just put in place a few weeks ago meet industry standards. It can help you prove to leadership that all the hard work your team has been putting into compliance is going to pay off. And it can prove to prospective customers and clients that you are on your way to long-term, ongoing security compliance.
That said, type I is considered a lower-value type of report because it doesn't show long-term commitment to compliance. It only shows that at one specific point in time, you were able to meet the standards.
The more valuable report is SOC 2 Type 2. This report shows compliance over time—often covering a period of at least three months or up to a year. In this report, the auditor looks at your compliance not just for last week, but for the last year (or last three or six months). This report helps prospective clients feel comfortable with your ongoing security standards.
What's included in a SOC 2 report?
SOC 2 reports focus on one or more of AICPA's five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
Security is usually the primary concern, and many companies choose to also audit their availability and confidentiality, because both requirements are straightforward and helpful to prove to customers their data is protected. For companies in healthcare, a privacy audit may also be requested. Even more rarely, companies will choose to include Processing Integrity criteria.
No matter which combination of trust service principles you audit for, a completed SOC 2 report includes five core pieces of documentation: the auditor report, management assertion, detailed service description, details specific to each of the trust services categories being evaluated, and test results.
The auditor report
This report—also known as an opinion letter—is the auditor's summary of their audit. It typically includes:
- When the auditor started the project
- The scope of their review
- The time period covered (is it a single point in time or a year's review?)
- Anything good or bad they found during the audit
- An opinion on your security (or other criteria)
The opinion section can fall into four categories.
Unqualified is your A+. It means everything looks great. You're fully compliant.
Qualified means you came close. Your SOC 2 compliance is looking good, but the auditor still wants you to address a few things.
Adverse means you aren't there yet. Your compliance program needs work.
And Disclaimer of Opinion means yikes, your security is a real, risky mess.
This is where you (the business owner) and your management team talk about the audit from your perspective. It covers scope, timeline, etc. from the business perspective instead of the auditor perspective.
System/service description and trust services criteria
These often-hefty documents are authored by you (the business owner) and/or your teams. Think of these sections as an overview of your company and its systems, teams, and security controls. You'll talk about the trust service principles and how your compliance program addresses them. And you'll give clients a detailed look at the best practices in place across your organization.
The final section is where the auditor backs up your assertions, going over the systems, teams, and security controls in their own words, talking about how they tested those controls, and sharing the results of that testing.
Who needs a SOC 2 report?
With security top-of-mind for pretty much everyone these days, any company that handles data (which is most of us, these days) should be prepared to provide a SOC 2 report to prospective clients.
Keep in mind that it can take over a year to become compliant and get a type II report, so it's best to work on compliance asap even if you don't have a prospect requesting the report right this second.
Who are SOC 2 reports for?
The company requesting a SOC 2 report is typically one that wants to hire you as a vendor. They're asking for SOC 2 because they want to confirm your security compliance and feel safe working with you.
Sometimes they're requesting the report for their own peace of mind. Sometimes they need it to give their clients peace of mind. Sometimes they have industry standards to meet on their end. Other times there are compliance or regulatory standards they have to comply with. Often, all four of these reasons intersect.
Who creates SOC 2 reports?
SOC 2 reports must be created by certified CPAs. Any CPA firm can technically do your report, but we suggest looking for one with strong security experience. If a firm only does a couple SOC 2 reports each year, the process might not be as smooth and straightforward as with a firm that has a dedicated team for SOC 2.
Look for CPAs experienced with not only SOC 2 reports, but also with your specific industry. CISA and CISSP certifications are a plus. And don't forget to check references.
How does SOC 2 differ from SOC 1 and SOC 3?
Our focus is on SOC 2, but there are actually three types of SOC reports. SOC 1 is about meeting financial standards, and SOC 3 is a high-level, public-facing version of a SOC 2 security report (with anything confidential scrubbed out).
SOC 2 is the more detailed, security-focused report we're talking about. It often includes confidential information and a high level of detail about your security programs.
How much does a SOC 2 report cost?
Not including the costs (in budget or time) involved in becoming SOC 2 compliant, the cost of an official CPA audit can range from $10,000 to upwards of $50,000+ depending on the complexity of your audit.
Factors that your auditor should be asking about when giving you an estimate include:
- The scope of your audit/report
- Your organization size and complexity
- The maturity of your compliance program
- The number of trust services criteria you want to include
For an accurate quote, you'll need to speak directly with a CPA firm.
SOC 2 reports and automation software
SOC 2 compliance is a vital part of being a tech vendor these days, but SOC 2 audits can be complicated, lengthy, and stressful.
Part of the reason we started Drata is to make this all simpler. Our automation software (and, indeed, any automation software worth its salt) lets you easily collect and provide evidence auditors need, generate reports and overviews, and flag when there's a risk to your compliance (for example: if a new employee doesn't complete your secure onboarding process or a new server is auto-spun up without the proper configuration).
Auditors can log into the tool and directly pull the info they need instead of having to do a bunch of back and forth requests with your team. And our dashboards and reports mean not only can you easily monitor the status of your compliance over time, but you can also share that information in a simple, easy-to-digest format.
If that sounds like a relief, schedule a free demo of Drata today!