By: Justin Fimlaid
Have you been thinking about getting a SOC2 report? Are you unsure whether you should do a SOC2 Type 1 or a SOC2 Type 2? Confused about which trust service principle to go after? If yes then read on.
A SOC2 Report stands for Service Organizational Control report. The designation of a “2” at the end of it signifies that it is the assurance report to validate technological controls that are in place for service organizations, versus a SOC1 which looks at financial controls. The SOC2 report as an assurance instrument was developed by the American Institute of Certified Public Accountants otherwise known as the AICPA. The AICPA is the same organization that certifies hundreds of thousands of Certified Public Accountants across the country.
SOC2 Type 1 or SOC2 Type 2?
When talking about SOC2 reports the major decision to make is whether you want a SOC2 Type 1 or SOC2 Type 2. The SOC2 Type 1 is intended to be a point in time assessment. In this type of assessment the accounting firm will determine if your security security controls are designed adequately to meet the Trust Service Principle (TSP) objectives and are in place at the time of assessment. The SOC2 Type 2 assessment validates that your SOC2 controls are in place for a period of time. That time period of time can vary based on your individual organizational requirements. That time period could be three months, six months, it could be a year. The most common time period we see is either six months or a year. In the case of a SOC2 Type 2 this report is a historical look back over over the audit period.
What is the Trust Service Principles (TSP)?
The SOC2 Reports (Type 1 or Type 2) are broken down into what’s called Trust Service Principles. There are five trust service principles that make up the SOC2 report and they are security, availability, processing integrity, confidentiality, and privacy. What’s important about the trust service principles, and important when you’re reviewing a SOC2 report, is that not all trust service principles are required. The only required trust service principle is security and the other trust service principles are optional. Most commonly security is paired with availability or confidentiality only because the availability in confidentiality control objectives are small and to add those to security is a pretty minor lift. It’s also significant for the people doing vendor assessments to look at the SOC2 report and consider whether you are looking at one trust service principle or all five. Whether you have a SOC2 with one Trust Principle, or five Trust Principles the report looks the same on the surface but the details are actually very different.
Objectives or Best Practices?
When we start to think about trust service principles they’re actually objectives and they’re not best practices. As part of undertaking the SOC2 report, a company must design the controls implemented to meet the control objective. Controls might, in some cases, be a best practice but it’s not really the goal of the trust service principle rather that a high-level objective is achieved. From company to company you might see some companies implement strong controls while other check the box. The goal of the accounting is not to ensure that best practices are implemented rather that the objective is met. If you are in the position where you reviewing SOC2 reports any nonconformity as are anomalies within the report could really come down to the rigor of controls that the company has chosen to implement.
Who can deliver a SOC2 Report?
So who can deliver a SOC2 report? Only accounting firms with a CPA registered to do business in the specific state which the SOC2 report is being delivered. So in other words if you’re an organization in South Dakota looking for a SOC2 report you need to find a public accounting firm that’s registered to do business in South Dakota and has the competency to deliver a SOC2 report. In that same example, if you find a public accounting firm in Florida and they’re not registered in your state to do business, they technically by rule of the AICPA, can not deliver the SOC2 report.
SOC2 and Rules of Independence
Worth noting is that the organization that delivers your SOC2 report or opines on the trust service principles objectives CAN NOT be the same organization that helps you remediate gaps or shortcomings because they’d be auditing their own work. One of he biggest requirements of the AICPA SOC2 report is that the report be independent.
Do I need a SOC2 report?
The answer is maybe and it depends on your intent for getting the report and the type of organization that you are.
If you are a service organization looking to give your consumers some confidence as to the security controls within your organization then perhaps maybe it makes some sense. If you’re not a service organization you’ll find that the SOC2 report is a little bit of an awkward fit because the objectives of the report don’t necessarily match those of your business. If you’re looking to get a SOC2 report as a way for someone to independently verify that you’re doing everything that you should be doing for my security best practices standpoint definitely DON’T pursue the SOC2 report for those reasons.
How does NuHarbor Security help with SOC2 Reports?
If you’re looking for a SOC2 report NuHarbor Security can help with readiness and preparation of being audited by an approved accounting firm. NuHarbor Security can also assist with remediation, guidance, and implementation of security controls to help you achieve your SOC2 report.