SOC 2 Audit FAQ - Part 1

In the first of our SOC 2 FAQ blog series we cover the most frequently asked questions our clients ask Romano Security Consulting when we’re delivering SOC 2 audit consultancy.

What does SOC stand for?

SOC stands for System and Organisation Control. SOC is a suite of audit reports derived from the AICPA that CPA audit firms can issue in connection with internal controls at a service organisation. 

SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity are all part of this suite of SOC reports. SOC 1 and 2 are currently the most popular of the SOC audit reports but SOC 3 and SOC for Cybersecurity are also gaining in popularity. 

SOC is an American standard but is becoming increasingly popular in the UK, Europe and Asia and more and more of our clients are required to provide SOC audit reports to their clients.

Can my organisation be SOC 2 certified or receive SOC 2 certification?

The short answer is NO, you don’t achieve certification to SOC 2 or the AICPA Trust Service criteria but you receive an auditors attestation or opinion on the design and operating effectiveness of your internal control framework or another way of looking at it is that the auditor attests that your internal control framework mitigates the risks to your organisation and then provides you with a report that documents this attestation. 

Organisations who have undergone a SOC 2 audit and have subsequently received a SOC 2 audit report have an attestation not a certification. 

SOC 2 reports are considered attestation reports NOT certification reports. 

Organisations can display the AICPA logo on their website when they have undergone a SOC 2 audit but this does not mean that they are SOC 2 certified. It’s all about using the correct terminology.

What is ISAE 3402?

ISAE 3402 is an international service organisation assurance standard. The official title of ISAE 3402 is "Assurance Reports on Controls at a Service Organisation" and it is also known as "Internal Control Framework over Financial Reporting" (ICFR) and is utilised in SOC 1 audits. 

What standard or standards are used to conduct a SOC 2 audit?

The CPA auditor performs a SOC 2 audit in accordance with SSAE18 AT-C Section 105, SSAE18 AT-C Section 205 and the AICPA Trust Services Criteria. These standards above are attestation standards. 

What’s the difference between a SOC 1 and SOC 2 audit? 

A SOC 1 audit examines an organisations internal control over financial reporting and a SOC 2 audit is an examination of a service organisations system description and suitability of the design of the internal control framework relevant to confidentiality, processessing integrity, privacy, security and availability. 

Between 1993 and 2011, a SOC 1 report was known as a SAS 70 report. In June 2011, the AICPA and ASB issued the Statement on Standards for Attestation Engagements (SSAE) No. 16 which provides guidance for CPA audit firms to report on controls at service organisations. 

The SOC 1 or the SSAE 16 report is pretty much the same as when it was SAS 70, it still provides user organisations reasonable assurance that controls at their service organisations, relevant to their internal controls over financial reporting (ICFR), are suitably designed and operating effectively. 

In May 2017 the AICPA issued SSAE 18, this new standard superseded all previous attestation standards. 

Some of our clients do have requirements to provide both SOC 1 and SOC 2 audit reports. There are also some synergies between the two audits and audit report which can be useful when preparing for SOC audits. 

What is a service organisation?

A service organisation is pretty much what it says on the tin, it’s an organisation that provides services to other organisations, usually business enterprises supplying services for financial gain, such as hosting and IT outsourcing, SaaS cloud hosted software solutions, managed security and financial services. 

What happened to the Trust Service Principles?

The Trust Service Principles (TSP) were renamed to the (TSC) when the AICPA updated the standard in April 2017. This helped avoid confusion with the COSO Framework 2013 which also referenced 17 principles and to which the TSC were then aligned with. 

What’s the difference between a SOC 2 Type 1 audit and SOC 2 Type 2 audit?

The main difference between the two types of reports is within the coverage and depth of the audit procedures (tests) performed. 

A Type 1 audit report is as of a point in time audit (e.g. 20th November 2021). A Type 1 audit only covers the design of the internal controls that help you to meet your control objectives over the outsourced services that you are providing to your user entities and for which they are relying upon from your service organisation. The Type 1 audit report attests to the suitability of the design of the internal controls linked to the control objectives and validates the sufficiency of the controls in aggregate to meet the achievement of the control objective described. A readiness assessment can be performed even before the Type 1 SOC report for your service organisation to understand the existing controls and recommendations that should be implemented prior to the full Type 1 SOC 2 assessment.

A Type 2 audit report covers a period of time typically twelve months (e.g. 20th November 2021 –20th November 2022). A type 2 audit report covers the design of the internal controls as well as the operating effectiveness of the internal controls over time that help you to meet your control objectives over the outsourced services provided to your user entities. A Type 2 SOC engagement provides reasonable assurance that the controls operated effectively to meet the service organisation’s control objectives over the service commitments and system requirements during the period of time under review. 

Basically the auditor continually tests the internal controls over the period of time specified and reports on the operating effectiveness of the controls over this period of time and provides a detailed description of the tests performed. The SOC 2 Type 2 audit report provides the auditors opinion on how effective the controls were operating when tested and whether the control performed without exception or else the exception noted will be documented in the SOC 2 report. 

A SOC 2 Type 1 audit report presents the auditors’ opinion or attestation regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date and does not test whether the controls are operating effectively over time. 

A SOC 2 Type 2 audit report includes the Type 1 criteria and audits the operating effectiveness of the controls over a selected period of time, typically 12 months, but this can be as little as 6 months. It also describes the tests performed on the internal controls and the test results. 

Need Help With SOC 2?

Please click here to find out more about our SOC 2 consultancy services.