SOC 2 Compliance: What is it and Why Should You Care?

It can take a village of service organisations to support a business. In other words, no matter how self-sufficient a company is, chances are it depends upon a myriad of other companies like payment processors, web hosting companies, eCommerce platforms, CRMs, and more.

Each point of contact can present a variety of risks. Some supporting organisations have access to sensitive information about your business and customers. Others provide the engine that makes your company run. What happens if a particular service provider goes down? Would your company grind to a painful halt? Would your customers find their credit card information in the wrong hands? How do you know the provider has a plan to minimize that risk?

System and organisation Control (SOC) compliance helps to answer these questions. When a company is SOC compliant, it means a third-party CPA has attested to the company having appropriate controls for important factors like security and availability. Companies that go through the SOC compliance process are showing a commitment to keep customer data secure and their services running. In this article, we’ll talk about what SOC compliance is and why it matters.

What is SOC Compliance?

The American Institute of CPAs (AICPA) developed the SOC reporting process to help companies accurately assess risks associated with using service organisations. Each SOC 2 report includes a detailed description of the service offering and the controls established to meet security and other reporting objectives. The Type 2 report also includes a full description of the auditor’s testing methodology and any control deviations which might have been found during the reporting period. Customers may use this information to determine if there are any control gaps or deviations found by the auditors which may pose a risk to the customer’s business.

There are several different types of SOC programs, including:

• SOC 1 for internal control over financial reporting
• SOC 2 for trust service principles
• SOC for cybersecurity
• SOC for supply chain

SOC 1 applies to companies that directly manage clients’ financials, including payroll processors, loan officers, and medical claims processors. SOC 2 applies to other types of service organisations like SaaS companies and B2B eCommerce vendors. We’ll focus on SOC 2 compliance today.

SOC 2 compliance requirements are built around trust principles. Businesses choose and build controls to uphold principles of security, availability, processing integrity, confidentiality, and privacy. Security is the only required criteria on a SOC 2 report. Some businesses may choose to add one or two other criteria, while others may include all five on their SOC 2 reports. It all depends on what the company does and what’s applicable in the situation. In some cases, a company may obtain both SOC 1 and SOC 2 compliance reports.

SOC 1 and SOC 2 compliance reports can be broken down even further into Type I or Type II. A Type I report describes the existing controls and whether they are designed well for the intended outcome. A Type II report includes testing and evaluation of how the controls have performed over a given period. In other words, a company will set up its controls, request a Type I report to validate the controls, and then receive Type II reports at six- to twelve-month intervals to test how the controls are working.

What Does it Take to Become SOC Compliant?

It can take a lot of work for a service organisation to set up appropriate controls to become SOC compliant. First, the company needs to decide which of the five main principles it will control for. Then, it will develop a system of specific devices, tools, and protocols to achieve those controls.

For example, the company may install better cybersecurity tools, increase employee training around information security, set up backup power systems, and create plans for different types of failure events. The company may work with CPAs and specialized compliance firms to develop the right controls. During development, the company may also self-assess its controls with specialists periodically

Once the controls reach a satisfactory level, the company will invite a CPA for a formal SOC 2 Type I audit to validate the control development. For example, if security control involved installing tighter cybersecurity software, the auditing firm will evaluate the deployment and configuration of those programs to ensure that all systems are effectively covered. After a Type I report, the company will monitor its controls for a period of time, usually one year, and then request a SOC 2 Type II audit to test how the controls worked in real life. Enterprise companies typically only work with service organisations that are SOC 2 Type II compliant.

Individual audits can cost tens of thousands of dollars. That doesn’t include all the hours spent and infrastructure built to accommodate a high level of control in each area. In the end, it’s worth it for the organisation to gain third-party attestation as a trustworthy service partner.