top of page

SOC 2

Frequently Asked Questions

What types of organization undergo a SOC 2 examination?

Many small and medium size companies that do not have an information security or compliance program elect to undergo a SOC 2 readiness and examination process.  SOC 2 is widely recognized and contains many overlapping characteristics with other regulations including ISO 27001, Sarbanes Oxley 404, HIPAA, GDPR, PCI and the FFIEC.

 

​

What industries does SOC 2 apply?

It is important to note that SOC 2 audits are not industry-specific, and any organization that handles sensitive data and information can benefit from undergoing a SOC 2 audit to demonstrate their commitment to security, confidentiality, processing integrity, availability and privacy.
 

Examples of organizations that undergo SOC readiness / examination procedures are service providers that perform functions on behalf of other companies including:

  • Cloud Service Providers (SaaS, IaaS, PaaS)

  • Data Centers (Co-location and Managed Hosting)

  • Collections & Third Party Billing

  • Cybersecurity Firms

  • Healthcare providers

  • FinTech companies

 

What Trust Services Criteria (TSC) are required? Which ones are optional?

A service organization must include the ‘Security’ Trust Services Criteria.  Availability, Processing Integrity and Privacy are optional.

What is Trust Service Criteria (TSC)?

What is the difference between a SOC 2 Type 1 and SOC 2 Type 2 audit?

  • Security.  The system is protected against  unauthorized  access,  use, or modification.

  • Availability.  The system is available for  operation and use  as committed or agreed.

  • Processing Integrity.  System processing  is complete,  valid, accurate,  timely, and authorized.

  • Confidentiality.  Information  designated as  confidential is protected as committed or agreed.

  • Privacy.   Personal  information  is collected,  used, retained, disclosed and  disposed to meet the entity's commitments  and system requirements.

The main difference between a SOC 2 Type 1 audit and a SOC 2 Type 2 audit is the scope and duration of the audit.

​

A SOC 2 Type 1 audit evaluates the design and implementation of controls as of a specific date or point-in-time, and provides assurance that the controls are suitably designed to achieve the related control objectives.

​

In contrast, a SOC 2 Type 2 audit evaluates the design, implementation, and operating effectiveness of controls over a period of time, typically covering a period of six to twelve months. 

If I've never undergone a SOC 2 examination before, should I go for a Type 1 report or try to obtain a Type 2?

Due to the rigorous requirements for SOC 2, which typically lead to a shift in an organization’s internal business practices, most companies elect to achieve SOC 2 Type 1 compliance first and then choose SOC 2 Type 2 afterwards.

Is SOC 1 (SSAE 18) the same as SOC 2?

No.  

​

Controls within a SOC 1 / SSAE 18 are defined by management, and the audit is risk-based. This report is useful to demonstrate to auditors and user organizations that internal controls over financial reporting (ICFR) are designed / operating effectively.


Controls within a SOC 2 report are also defined by management, but the audit is criteria based, using SysTrust / WebTrust principles. This report is useful to demonstrate to a broad range of users (outside of user organizations) that controls over security, availability, processing integrity, confidentiality and/or privacy are designed / operating effectively.

Contact us to see how we can help you prepare for your SOC audit.

bottom of page