Many companies rely on third parties to provide services, and in doing so they expose themselves to risk. For example, if a hospital uses a data center to store PHI, how can it trust that the data center will do its job to protect the PHI?

These companies may request a SOC 2 report from the third party,  which supports their risk assessment of the third party and helps them know if it can be trusted to protect such data or provide such services. So in this example, a hospital would request a SOC 2 report from a data center. 

The SOC 2 timeline depends highly on the complexity and maturity of your control environment, your motivation to get it done, and on who you select as the auditor.

For simpler environments and highly organized/motivated companies, the SOC 2 exam could last as short as 4 weeks. For more complex, or less organized/motivated companies, the process could take 6 months.

It involves the following major milestones:

• Defining the scope of the system
• Defining the controls that meet the SOC 2 criteria
• Drafting the Description of the System (section within the SOC report)
• Providing Evidence to the Auditor
• Auditor Drafts and Issues the final report

A Type 1 exam assesses the description and controls as of a point in time. 

A Type 2 exam assesses the description and controls over a period of time.

Most entities that request a SOC 2 report will be looking for a Type 2 report. 

However, many undergoing SOC 2 for the first time choose to start with a Type 1 exam. This allows them to quickly issue a report to their dependent users as soon as they have reached an acceptable level of security and compliance. Then, they might choose to complete a Type 2 exam just 3 months later if the need is more urgent, or wait a full 12 months. 

No. While SOC 2 is a highly popular report for companies doing business in the United States, the ISO 27001 is a standard and/or certification used more often by European companies.

Besides the standards for each being published by separate regulating bodies, and separate project timelines, while ISO 27001 is primarily about evaluating that you have a program in place, SOC 2 (Type 2) will evaluate whether the security controls identified actually operated over a time period.

The SOC 1 exam covers controls relevant to Financial Reporting, whereas the SOC 2 exam covers controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

One significant difference between the two reports practically is that SOC 1 controls are required to support Control Objectives, which are defined by you. Whereas the SOC 2 controls must support the standard criteria defined by the AICPA.

No.

As a licensed CPA firm, we are held to strict independence standards in order to perform attestation engagements.

Basically, we can’t audit our own work.

We could provide Gap Assessments, where we essentially do an ‘audit-lite’ and report on the results you might expect. But we can’t assist in implementing SOC 2 controls.