Your Guide to SOC 2 Attestation Reports

During a SOC 2 attestation, companies need to use specific criteria to evaluate their services.

All the things surrounding SOC 2 reports and attestation can seem a little overwhelming and complicated. We get it; that's why we've created this quick guide to SOC 2 attestation reports with simplified terms and definitions to help you understand the basics.

A Quick SOC 2 Refresh

You've landed on this article for SOC 2 attestation, so odds are you already know what a SOC 2 report is, but just in case, here's a quick refresh:

What does the S-O-C in 'SOC 2' mean?

• The ‘S-O-C’ stands for System and Organization Controls Number Two. 

• SOC 2 is a set of standards developed by the American Institute of Certified Public Accountants (AICPA).

  • These standards help businesses evaluate their internal controls and ensure they meet industry best practices regarding information systems management and cyber security.

• Now, onto the basics of SOC 2 attestation reports.

What is a SOC 2 attestation?

A SOC 2 attestation is a third-party assessment of a service organization’s controls relevant to

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

Why do you need a SOC 2 Attestation?

The idea behind a SOC 2 attestation is that companies can demonstrate their commitment to data protection by having their systems reviewed independently. Customers can then make informed decisions about whether it's safe to store sensitive information in the cloud and avoid legal issues down the road.

What does a SOC 2 attestation include?

To assure customers that you're keeping their data safe and secure, you need to show that your company has thought through all aspects of data protection.

Including:

• How do you store customer data?

• Who has access to customer data?

• What measures do you take to protect information against cyberattacks?

What is required During a SOC 2 attestation? 

During a SOC 2 attestation, companies are required to use a specific set of criteria to evaluate their services.

These criteria are organized into five trust services categories:

1. Security (required)

2. Availability (optional)

3. Confidentiality (optional)

4. Processing Integrity (optional)

5. Privacy (optional)

You will also want to ensure that these controls are in place within your systems prior to your SOC 2 attestation with a CPA:

• Network Firewalls

• Two-factor authentication

• Intrusion detection

• Performance monitoring

• Disaster recovery and Incident response procedures

• Security breach management

• Quality assurance

• Process monitoring

• Data encryption

• Access controls (physical and logical)

• Change Management processes

How long does a SOC 2 attestation take?

A SOC 2 Type I (point-in-time) attestation is typically completed in about 4-6 weeks. This may seem like a long time, but remember that it takes more time for complex organizations than for simple ones. 

While these variables are essential in determining the duration of your audit, there are also other factors at play:

• If you're working with a new auditor and they don't have much experience on their side yet (for example, if you're their first client), then this will slow down the process somewhat as well. That's why we recommend choosing a CPA specializing in SOC 2 attestations like Johanson Group.

• Some companies may need additional support before providing all the necessary documentation required by SOC 2 auditors; this may add days or weeks to your timeline!

Need to add in SOC 2 Type II (period of time) details. Those audits are a minimum of 3 months the first time and 12 months for subsequent type II audits. Type I tests the design of control, whereas Type II tests both design of controls and their operating effectiveness over a period of time.

How much does a SOC 2 attestation cost?

The cost of a SOC 2 attestation depends on many factors, including:

• Size: Smaller organizations can often complete an audit at a lower cost than larger ones.

• Complexity: Suppose your company uses more complex controls and procedures than other companies. In that case, it will cost more to audit you than if it did not have as much complexity in its controls.

• Type of Service: What type of service is provided by the system being audited? For example, a mobile app for a SaaS start-up may be less expensive than an internal data protection solution for a SaaS healthcare provider due to its more straightforward design and architecture requirements. 

• Type of audit (i.e., standard or enhanced): A standard assessment costs less than one that includes additional testing for application-specific vulnerabilities and threats (enhanced.)

The SOC 2 attestation process with Johanson Group

• The first step is to determine whether or not you are eligible for SOC 2 attestation services. If so, we will conduct an initial assessment and provide an estimate based on our findings.

• Once we have reviewed the scope of work and estimated costs, we can begin working with you to develop a detailed plan for implementing security controls into your existing environment. Our goal is always to achieve compliance as efficiently as possible while minimizing disruption to business operations.

In short, a SOC 2 report evaluates whether a service organization's systems and processes meet high standards for security and privacy. 

It also assures on behalf of service providers so they can show customers how they use their information responsibly.

ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries world wide.

We serve:

• SaaS Start-ups

• SaaS Healthcare Organizations

• Established SaaS Companies

• Government SaaS Organizations

We provide:

• SOC 2 assessments

• HIPPA assessments

• ISO/IEC 27001 reports