SOC 2 Type 1 and Type 2 Commonalities
A SOC 2 – Type 1 and SOC 2 – Type 2 Report have many things in common – system description, management’s assertion, and a description of controls as they relate to the Trust Service Criteria. Both reports analyze and report on the design and implementation of the system description and the suitability of control design. The differentiator between the two reports is operating effectiveness.
What are Controls in a SOC 2 Assessment?
“Controls operating effectively provide reasonable assurance of achieving the service organization’s service commitments and system requirements based on the applicable Trust Service Criteria,” per the SOC 2 Guide. Controls are the procedures which happen in a system and they exist to protect the system and the organization against unintended outcomes. If a system’s outcomes are not certain, this could lead to the organization not achieving its service commitments.
When controls operate, there should be documentation describing who did what, when they did it, and what the outcome was. This documentation needs to exist for a period of time (the assessment period). If documentation is not retained, there is no evidence that the control functioned during the period. This could lead to a qualified opinion in the SOC 2 Report Letter (notation of material deviations).
How SOC 2 – Type 2 is Different
Auditors performing and preparing a SOC 2 – Type 2 Report will initially review controls and develop a plan to test those controls. The tests are designed to identify material control failures, exceptions, and anomalies. Control failures may be controls which did not operate during the period, even though the circumstances which warrant the operation of the control did occur, or improperly operated during the assessment period. Often, auditors will select a sample from the population of control operation documentation, unless the number of operations is small, in which case the auditor may review all control operation documentation.
If a control failure is identified, the auditor will note this as an exception in the results of their testing. Unless there are significant failures, it is likely the exceptions will not rise to the qualification of a report. However, failures should be addressed by management to ensure the operating effectiveness of controls for future test periods.
Why Have a SOC 2 Assessment Done?
The completion of a SOC 2 assessment provides an understanding of the system being assessed and the effectiveness of a security program. Since a SOC 2 – Type 2 assesses the control operation for a period of time, these assessments are a great way to prove that an organization is actually doing what they committed to doing regarding their security protocols.
Once the assessment is completed, the engaging organization receives a detailed report that attests to the effectiveness of their security program. This reinforces a company’s credibility because other companies interested in using their services can review this document and see that they meet their security requirements.
It’s important to note that each company decides the design of their own controls to meet their business and security objectives. An organization may choose the scope they wish to include in their report, a particular system or service for instance, but they must address all the description criteria required in a system description. In addition, at a minimum, an organization must address the Common Criteria category of Security but may choose to include one or more of the other trust service categories. Within each trust service category are individual criterion which must also be addressed.
SOC 2 and Vendor Compliance
When a company needs to hire a vendor, they typically conduct reviews to determine which vendors meet their security requirements. Providing an independent SOC 2 Report is an easy way to show your organization meets those needs.
SOC 2 assessments are particularly helpful for companies that don’t already have regulatory and compliance requirements. By having this assessment information, other companies can learn about a potential vendor’s security controls and how those controls operated in the assessment period.
When reviewing a potential vendor, one of the most important aspects we look for at Blue Team Alpha is how are they going to safeguard our data and our customers’ data? Do they have a security program we can trust? These answers can be found in the SOC 2 Report, which holds more value than self-assessment because it is executed by an independent third party.
Benefits of SOC 2 – Type 2
Compared to Type 1, a Type 2 assessment provides an extra layer of trust and assurance because they demonstrate that a company executes security controls consistently and reliably over a significant period of time. Effective security requires consistency, because one misstep can result in a breach.
Companies that successfully complete a SOC 2 – Type 2 assessment often look for other companies who also engage in a SOC 2 – Type 2 assessment. This is especially true for businesses at the enterprise level who are handling customers’ PII and/or PHI data.
How to Determine What Type is Best for You
It is best to choose a SOC 2 – Type 2 assessment when the security posture is mature enough to demonstrate an organization’s internal control functions are achieved consistently over time. A SOC 2 – Type 1 is a good intermediary step on the journey to best practice, but companies should plan to have SOC 2 – Type 2 completed within six months to one year from the date of the SOC 2 – Type 1 assessment.
Companies want to partner with other companies who can demonstrate their commitment to information security, and a SOC 2 – Type 2 assessment provides that assurance. Organizations are more likely to work with a vendor that has successfully completed a SOC 2 – Type 2 assessment. Generally, provided the report has an unmodified opinion, companies that have a SOC 2 – Type 2 assessment performed have a security program that can be trusted.
This blog was co-authored by Aaron Thomas and Michelle Christy from Copeland Buhl & Company, and Peter Martinson and Stephen Boss from Blue Team Alpha.
About Copeland Buhl & Company
Copeland Buhl & Company, a 50 + year-old Twin Cities based CPA firm offers traditional tax and accounting services along with specialty services in Accounting & ERP support, and IT and information security compliance (SOC 2/HITRUST). Focusing on unique solutions for unique clients, Copeland Buhl builds long-term relationships by providing high quality responsive service to clients. It’s not about today’s transaction but planning and building for future success.
How Blue Team Alpha Works With Copeland Buhl
Partnerships like the one that Blue Team Alpha has with Copeland Buhl really give customers the best of both worlds. First, customers get a cyber-battle-tested team averaging a 98.3% customer satisfaction rating. The team leverages front-line breach intel and experiences to secure your environment, as well as achieving and managing your company’s information security program and compliance requirements. Many times, auditors do not fully understand the wide variety of options available to clients to satisfy their cyber compliance controls. This is why we partner with Copeland Buhl. They excel in this area due to their depth of knowledge in the cybersecurity space and provide industry-leading friendly, knowledgeable, efficient, and value-driving audits to their clients.
