Render Compliance

SOC 2 faq

SOC 2 FAQ’s

Find all your commonly asked SOC 2 questions answered below.

What is SOC 2?

SOC 2 is an evaluation performed by a qualified CPA of an organization’s controls as they relate to standard criteria. These criteria center fundamentally around information security principles, but may extend to cover other areas as well, including availability, confidentiality, processing integrity, and privacy.

What’s a ‘control’?

A control is a process that is implemented to accomplish a particular goal. For example, if information security is the goal, a basic control might be “Company ABC restricts access to systems storing XYZ data to DEF personnel.” If you need more detailed information, download our guide for drafting SOC 2 controls.

Who cares about SOC 2?

Many companies rely on third parties (vendors, partners, etc) to provide services. This is part of normal business. But in doing so, they expose themselves to risk. For example, if a hospital uses a vendor’s EHR system to manage patient information, how can it trust that the data center will do its job to protect that extremely sensitive data?

The hospital might perform an audit over the EHR company to get comfortable that their data is safe. The problem here is that audits are extremely time-consuming and require expertise to perform them. The hospital cannot afford to perform comprehensive audits on all its third parties. And the EHR company cannot afford to be audited by all its customers.

So, the SOC 2 allows this example EHR company to complete an audit once with a qualified, independent firm, then pass that audit out to any customer that asks.

How long does it take to Obtain SOC report for the first time?

Anywhere from 1 day to 10 years.

(We’re kind of joking, but kind of also serious).

The SOC 2 timeline depends highly on you. How motivated are you to get it done? Have you done something similar before? Do you currently have a mature control environment, or have you never thought about it before? How complex is your company and in-scope system?

It can take anywhere from one month to two years.

But here are the steps in a typical timeline:

  • Define System Scope – System, Exam Type, Examination Dates, Trust Services Categories
  • Identify Third Parties – Audit Firm, and optionally Compliance Software, and Implementation Consultant.
  • Identify a Project Timeline – identify project milestones (bullet points below), due dates, and which of the parties above is responsible
  • Perform a Gap Assessment – perform an assessment either with your Auditor or your Consultant, (or yourself if you’re experienced). Map your current controls against the SOC 2 criteria, and identify the gaps you need to remediate.
  • Remediate Control Gaps
  • Draft System Narrative – the system description is a fundamental part of the SOC 2 report. It is basically your chance to tell a story, showing how your system works and how it is protected to your readers.
  • Provide Evidence to Audit Firm
  • Perform Audit Walkthrough Meetings – These are meetings between your control owners and the audit firm. They are designed help the auditor fully understand their testing. They can also be useful to close any gaps in evidence.
  • Audit Firm performs Quality Control procedures and issues Report

How much does SOC 2 cost?

Anywhere from $1k to millions.

We’re 100% serious.

It depends on a lot of things, including organization size and system complexity, but the fee premium you may pay in addition to these factors is actually the main factor, and it depends on what you’re going for:

  • Low fee premium – you are usually paying for the fastest and cheapest option.
  • Medium fee premium – you are usually paying for good service, a quality report, and a professional reputation.
  • High fee premium – you are usually paying for the reputation of a big-name firm.

To get an idea of our prices, you can check out our pricing page: https://rendercompliance.com/pricing/

What is the difference between a Type 1 and Type 2 examination? Which one should I get?

A SOC 2 Type 1 exam assesses the description and controls design as of a point in time.

A SOC 2 Type 2 exam assesses the description and controls design and operating effectiveness over a period of time.

Customers and prospects certainly request the Type 2 report more frequently, and respect it more, as it gives a much greater level of assurance.

But you need to weigh two considerations:

  1. the Type 2 report takes longer to get, as you have to wait until after the end of the examination period (minimum 3 months), and
  2. the Type 2 report is more expensive (often 20-50% more in audit or consulting fees)

Many organizations will opt to begin with Type 1 to get the report out quickly and affordably, satisfying some customers, then maybe 6 months later get their first Type 2 report. What’s nice about this approach is that if you do the Type 1 first, you have a concrete starting point where you know as long as you keep those controls running, you won’t have any issues when the Type 2 comes.

Additionally, if you do the Type 1 first, and you get close to audit time and you didn’t fully get ready, you can just push out the examination date by a month. You can’t do that so easily with a Type 2.

Others prefer to begin directly with Type 2, reasoning that is the type they need eventually, why waste the time and money to do a Type 1. This is a viable path as well; they just have to ensure that they perform a Readiness Assessment at least internally prior to the start of the examination period to make sure they are fully ready.

Does the SOC 2 report have an annual renewal requirement?

No.

You may get a new SOC 2 report as frequently as you want. However, end users will typically reject the report if it is more than 12 months old, so the convention is to complete the SOC 2 examination at least annually. More on this here.

How do I choose which SOC 2 Criteria to include in scope?

Within SOC 2, there are 5 different Trust Services Categories, each one containing certain Trust Services Criteria which the SOC 2 controls must support. We’ll explain considerations for including, or not including, each Category below:

  • Security – the foundation of SOC 2, critical for any organizations looking to build trust through data security practices.
  • Availability – service offerings that are business critical or require high availability should include the Availability category. Practically speaking, this category only includes 3 additional criteria, so the additional lift for time and money is relatively low.
  • Confidentiality – whereas Security Category concerns keeping the bad guys out, the Confidentiality category concerns ensuring only specifically authorized parties can access the data. Service offerings should include this Category when they want to offer an extra layer of assurance over data confidentiality and data handling to their customers or partners. Like Availability, it is a relatively low additional expenditure of time and money. Many companies choose to complete their initial SOC 2 including the Security, Availability, and Confidentiality Categories.
  • Processing Integrity – this Category shows is concerned with processing data data completely and accurately from point A to point B. It is common to see in FinTech or for service offerings that require a high level of data integrity. It is also increasingly common to see in companies that offer an AI solution. It can be difficult to implement, as the criteria are extremely high level and many different types of controls could roll up to support them.
  • Privacy – the purpose of the Privacy Category is to respect the choice and intent of end users’ personal information processed throughout the service offering. Highly regulated industries that process a large amount of PHI or PII commonly adopt this Category. It is a serious lift to introduce this category, especially if you don’t have an existing Privacy program.

Are SOC 2 and ISO 27001 the same thing?

No. They do have similar purposes as information security frameworks designed to suit the needs of a wide array of organizations. But they have a few key differences:

  1. While SOC 2 is a highly popular report for companies doing business in the United States, ISO 27001 is a standard and/or certification used more often by European companies.
  2. With SOC 2, you may set the as of date (Type 1) or examination period (Type 2) yourself, whereas with ISO 27001, you undergo a Stage 1 Audit (point-in-time review of documentation, scoping, and readiness evaluation), then a Stage 2 Audit (examining the implementation and operational effectiveness of the ISMS). After completing the Stage 2 Audit , the organization must complete annual Surveillance Audits to ensure ongoing compliance, as well as Recertification Audits every three years.
  3. The end product is functionally different. SOC 2 yields an extensive report with full detail of the system description, tests performed, and auditor’s conclusions. It describes a point in time or period of time in the past. On the other hand, ISO 27001 is renewable certification, with more prescriptive controls, less interpretative detail included in the report itself.

What is the difference between SOC 1 and SOC 2 exams? Do I need both?

The SOC 1 exam covers controls relevant to Financial Reporting, whereas the SOC 2 exam covers controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

One significant practical difference between the two reports is that SOC 1 controls are required to support Control Objectives (defined by you), whereas the SOC 2 controls must support the standard criteria (defined by the AICPA).

Can I post my SOC 2 Report on my website?

No. Sorry.

The AICPA guidelines allow for sharing the report with current or prospective customers, or other knowledgeable users of your service. More on this here.

Can I hire you for a Readiness Engagement and for a SOC Examination?

No. Well, sort of. We’ll explain.

As a licensed CPA firm, we are held to strict independence standards in order to perform attestation engagements.

Basically, we can’t audit our own work.

We can provide Scoping and Gap Assessments where we evaluate relevant system scope given your operations and help define the controls that would be relevant and necessary to meet the applicable criteria. But we can’t assist in implementing those defined controls. We’ll do the Gap Assessment and be on hand to answer questions about how we would test things, but implementing the specific processes is the responsibility of service organization management.

You can check out some of our trusted consultants who can perform the implementation and maintenance here on our Partner page.

 

Need to know more? Feel free to schedule a no-commitment call with us here. We love to help organizations navigate these questions and figure out what they need.

Book a Call to Learn More

Approach

Pricing

Resources

About

Linkedin Youtube

Let's Work Together

  • (805) 769-8026‬
  • contact@rendercompliance.com