Johanson Group, LLP

View Original

Essential Knowledge: SOC 2 Compliance Requirements

Ryan Johanson

In its simplest form it is: did you do what you said you were going to do when you said you were going to do it?

Each company will need to identify the risks associated with their business, create controls to mitigate those risks, and then follow through with them. The AICPA has used the COSO framework to create the high-level criteria that need to be addressed as well as points of focus to consider. Each company can and should have controls that are relevant to its organization. 

Learn more here and review the complete list of the criteria and points of focus.

SOC 2 Compliance list

There is not a minimum set of controls or a standardized template of controls that organizations can implement to help ensure that controls are suitably designed based on the applicable trust services criteria in a SOC 2 examination. A company should implement specific controls designed to mitigate risks identified by management, which could prevent the company from achieving its service commitments and system requirements. For that reason, SOC 2 does not prescribe specific controls for any organization. Instead, the trust services criteria establish the outcomes that those controls should meet to achieve a service organization’s service commitments and system requirements.

The AICPA has said: “Because each system and the environment in which it operates are unique, the combination of risks that would prevent a service organization from achieving its service commitments and system requirements, and the controls necessary to address those risks, will be unique in each SOC 2 examination. Management needs to identify the specific risks that threaten the achievement of the service organization's service commitments and system requirements and the controls necessary to provide a reasonable assurance that the applicable trust services criteria are met, which would mitigate those risks.”

Many organizations find this a little frustrating. There are a number of sample controls out there. Many compliance platforms have a basic list that you can use to get started. You will find that some of the controls don’t apply to your organization and that you will want to add other controls. That is exactly what you should do.

Compliance platforms

Compliance platforms such as Vanta, Secureframe, Drata, and Trustero make SOC 2 much easier. Without a platform, you will probably need to hire a CPA firm or a consultant to work with you to develop your controls. Then you will need to monitor all those controls manually. That is a significant cost in terms of money and time. It also leads to the possibility of exceptions on your SOC 2 report. You will also need someone to monitor those controls manually and collect the evidence. This usually ends up being a full-time position. 

We see clients that use a compliance platform get ready to start their SOC 2 audit MUCH sooner than those without one. We also see that those that use a platform are less likely to have an exception. The audit process is much smoother as all the evidence is located in one place and appropriate evidence is collected. The time needed to monitor the controls and collect the evidence is greatly reduced to a few minutes each day. 

What is the minimum time period for a SOC 2 Type II? 

We get this question a lot. Often clients are under pressure to get their SOC 2 Type II quickly so that they can close a deal or they waited too long to get started.

The AICPA does not specify a minimum period for SOC 2 type II. What they do give is some things to consider to determine the audit period. The main point is, will the auditor be able to obtain sufficient evidence to support an opinion of the operating effectiveness of the controls? With the creation of compliance platforms, a three-month audit period is usually sufficient.

We do advise clients to talk to their auditors. We also suggest that if you are thinking about using a shortened period for your first SOC 2 Type II that you try to include as many annual, and semi-annual items as possible.  We also suggest that you talk with your potential clients, to see if a shortened audit period will be sufficient for their needs.

Do we need to have a Board of Directors? 

No. The AICPA recognizes that smaller organizations don’t need to have a board of directors. They do give some guidance about things to consider. Here is what the AICPA has said:

Trust services criterion CC1.2 discusses the need for a board of directors that is independent of service organization management and exercises oversight of the development and performance of internal control. If a smaller, less complex service organization does not have an independent board of directors, how would the service auditor’s opinion on the suitability of the design of controls be affected?

TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, defines a board of directors as follows:

Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.

This definition recognizes that smaller, less complex businesses may find it costly and unnecessary to attract independent board members. These entities generally have different control environments, which may be as effective as those in larger, more complex organizations. In the context of a smaller, less complex service organization, an owner-manager may have far greater personal oversight over organizational structure operations; the ability to affect ethical values; and the ability to attract, retain, and hold accountable service organization personnel.

In addition, an owner-manager is likely to actively participate in the operation of key controls (by exercising a high level of supervision and review) to provide adequate oversight of internal control and to mitigate risks arising from the lack of segregation of duties that often exists in such organizations. When that is the case, a service auditor may conclude that the lack of a board of directors at a smaller, less complex service organization is unlikely to affect the achievement of the service organization’s service commitments and system requirements.

In some situations, however, an owner-manager may not have the knowledge or competence to perform the oversight role without placing excessive reliance on company service organization management. In this situation, the lack of independent oversight may result in a breakdown in internal controls and increase the risk of fraud. In such cases, the service auditor evaluates the effect of the design deficiency on the service organization’s achievement of its service commitments and system requirements; based on that evaluation, the service auditor may decide to modify the opinion on the suitability of the design in the SOC 2 report.

Our auditors found an exception: are we going to fail? 

No. There isn’t a pass/fail grade for SOC 2 reports.

In general, an exception will not create the need for the auditor to change their opinion. It all depends on the type of exception, how long it took to remediate and if there were other compensating controls in place. You will have the opportunity to have a management response to the exception and explain what happened and what you have put in place to make sure it doesn’t happen again.

There isn’t a hard and fast rule as to the number of exceptions you can have before the auditor changes the opinion. The auditor will look at the deficiencies individually and in the aggregate. This means that professional judgment will be used in creating the opinion of the report.

Your organization will need to look at all aspects of the business to create sufficient controls and ensure that those controls are followed. Using a readiness platform will help you do all of this and decrease the potential of any exceptions. We see organizations of all sizes be able to successfully complete a SOC 2 Type I and Type II report with a “clean” audit opinion. We are sure that you can do it as well!

ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries world wide.

We serve:

  • SaaS Start-ups

  • SaaS Healthcare Organizations

  • Established SaaS Companies

  • Government SaaS Organizations

We provide:

  • SOC 2 assessments

  • HIPPA assessments

  • ISO/IEC 27001 reports