Services Organization Controls (SOC) 2 is an audit reporting standard issued by the American Institute of Certified Public Accountants (AICPA). The report provides the auditor’s opinion about the design and effectiveness of the organizations controls that address the five Trust Services Principles (TSP):

• Security
• Confidentiality 
• Integrity
• Availability
• Privacy

Organizations are not required to address all five TSPs. Only the Security principle is mandatory; the rest are up to the organization. Additionally, there are two types of SOC 2 reports: Type I and Type II. A SOC 2 Type I report only tests the organization’s controls’ designs, while Type II also tests the controls’ effectiveness. A Type I report is usually just a stepping stone for the organization in preparation for a Type II audit. 

A SOC 2 report covers a specific time period (test period). The test period is usually twelve months but can be as little as three months. SOC 2 audits are conducted by Certified Public Accountants (CPA), members of AICPA.

SOC 2 Type II has become a de-facto standard for US service providers. Any company that performs processing or storage of customer and consumer confidential information will benefit from conducting a SOC 2 Type II audit. A SOC 2 Type II attestation report provides assurances to customers and consumers that their sensitive data is protected and gives the company a competitive advantage.

Furthermore, many companies require that their service providers maintain SOC 2 Type II compliance, and document this requirement as a contractual obligation.

Once the company decides to go through the audit,  the process typically consists of the following steps:

Readiness Assessment

SOC 2 Readiness Assessment establishes if necessary controls have been designed and are operating effectively. This step also includes the establishment of the audit’s scope. The readiness assessment may be conducted by the company’s internal resources, a CPA firm, or a consulting company.

Gaps Remediation

This step involves addressing the gaps identified in the Readiness Assessment. The CPA firm performing the audit cannot be involved in this step to avoid any conflict of interest. For this reason, this step is performed either by the company or by a consulting firm, like Planet 9.

SOC 2 Type II Audit

In this step, the selected CPA firm performs the audit. The audit can only be performed by an independent CPA firm. It can be the firm involved in the Readiness Assessment or another CPA firm. However, this step still requires significant resource commitment from the auditee (the company) as the company will have to provide a lot of documentation and perform evidence testing. 

Continuous Compliance

After a report is issued, the work does not stop. The company has to maintain, improve, and monitor the audited controls in order to ensure a successful audit report the following year.

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in various private industries, including e-commerce, finance, healthcare, manufacturing, and technology. We have consulting experience helping clients become and remain compliant.  Our company has former security Chief Information Security Officers (CISO) and compliance managers from private industries who were responsible for ensuring SOC 2 compliance.

Depending on a client’s internal resources, expertise, and availability, Planet 9 can completely or partially assist the client with the following:

• Conduct a SOC 2 Audit Readiness 
• Perform Gaps Remediation
• Select an audit firm
• Represent the client during the audit process
• Establish and maintain a continuous compliance program