Demystifying the types of SOC 2 Reports
If you’re reading this, chances are you’ve been asked by a customer or business partner for your company to become SOC2-compliant. Along the way, you’ve probably heard about the differences between Type I and II, or wondered what Trust Principles you’ll need, and how much it’ll all cost. This article hopes to quickly answer all of those questions.
SOC 2 of course, is a form of security compliance that many US-based technology firms have standardized on. SOC 2 audits must be conducted by a CPA (public accounting) auditing firm. From there however, it gets a lot more nuanced in terms of report types and trust principles.
Type I vs Type II
Briefly put, a Type I audit checks to see if security controls are present and SOC2-compliant as designed. A Type II audit takes a more thorough look to make sure those security controls are effective and well managed on an ongoing basis. Realistically, that means you can expect the following:
SOC 2 Type I: A shorter examination, where the auditor looks at the current or recent state (one day in time) of your company’s security. The auditor confirms policies and procedures are in place. The auditor also checks if security measures have been deployed at least to one user. Auditors will typically request evidence where you can choose any single example to provide.
SOC 2 Type II: A longer-term examination, where the auditor looks over a period of 3–12 months. Typically, the auditor will request random samples of approximately 10% of employees for evidence various security controls and process are in place.
For example, in a Type II examination the auditor may ask for a list of all new hires in the last 3 months. Then, they’ll select several names at random and ask to see records of their security training, background checks, and onboarding process.
In a Type I, just providing any single new employee’s records is usually sufficient.
Type II reports are usually considered more intensive and hold more weight to a reviewer. Accordingly, they’ll also take more of your team’s time for preparation and working with the auditors. However, regardless of which SOC 2 type you select, your organization can still use the SOC 2 logo and advertise itself as SOC 2 compliant.
Ok, so what’s SOC 1 then? And SOC 3!?
SOC 1 reports are often confused with SOC 2 Type I, but they are very different reports. To add to the confusion, there’s also a SOC 3. And, they’re all part of the SSAE18.
A SOC 1 audit is focused on accounting and financial controls at an organization. Generally, this audit is only relevant to larger companies. SOC 1 is generally uncommon at startups, with the exception of those in ares such as financial technology or accounting.
A SOC 2 audit is primarily concerned with an organization’s security controls, and can be expanded to cover areas related to other SOC 2 “trust principles.”
A SOC 3 report is a essentially a reduced SOC 2 audit report, with far less information covered and included. It is intended to be posted publicly on a web site, unlike the more detailed SOC 1 and SOC 2 reports which are typically only shared under NDA. This type is very uncommonly requested.
To add even more acronyms to the mix, the SSAE18 standard is made up of the above report types. If you have any of the above reports, your organization has a form of SSAE18 compliance.
Finally, the SSAE18 replaces the old standards of the SSAE16 and SAS70. Sometimes, security questionnaires and boilerplate contracts include outdated references to these standards, which are now replaced by SOC reports.
Point-in-time vs Observable Period
The key distinction with a Type I is what happens if issues or “exceptions” are uncovered by the audit. For example, you may be missing a policy such as a Business Continuity Plan.
In a Type I audit, you could simply create the plan and quickly submit it to the auditor. If that policy passes the audit, the resulting report will not note any ‘exceptions’ or compliance issues.
In a Type II, an exception will be noted that the policy did not exist at the beginning of the audit, but was created later.
Any exception in a SOC 2 report is a “black mark” that may invite questions from a reviewer, so a company’s goal should be to have few or no exceptions. A report without any exceptions is called a “clean report.”
The handling of exceptions is a key distinction between Type I and II. Type I is any “point in time,” so if an exception is noted the company may have an opportunity to quickly resolve it and still obtain a clean report. A Type II demands that all security controls be in place for the entire “observable period,” noting even exceptions that are promptly fixed.
Most auditors will offer to perform a gap assessment prior to your SOC 2 audit. This is essentially a “dry-run” where they will point out any issues you might have to resolve to satisfy SOC 2 compliance criteria. Pricing wise, they generally come in at ~80% of the cost of the actual SOC 2 audit.
Practically speaking, for small companies the results of an auditor gap assessment are infrequently worth the cost. Guidance and templates given by auditors are often only relevant to larger companies with older on-premise technology stacks, and ill-fitting for smaller startups. Auditors can’t help actually execute on tasks, but only give broad guidance on how to satisfy their criteria.
Gap Assessments don’t need to be done by an accredited CPA auditor. You can perform them internally using various software tools, or engage a competent consulting firm. Often, the price of software tools and/or consulting is less than the price of the auditor-driven gap assessment.
To add to the complexity of selecting a SOC 2 report, you can select to do only the “Security” or common criteria trust principle, or to expand the scope of the SOC2 audit into up to four additional areas.
- Security: (Required) The “Common Criteria,” or core of the SOC 2 audit asking about security management and measures.
- Availability: Examines the measures your company uses to be highly available, recover from failure as well as communicate about downtime.
- Confidentiality: Evaluates how data is restricted internally amongst personnel at the company, and related processes such as the way support staff are authorized to access customer data.
- Processing Integrity: Focuses on how data is validated when received and output, and QA testing of changes. More important for areas where data quality is of paramount concern, such as healthcare or financial transactions.
You can expect the price of your audit to increase with each added trust principle, with the lowest-priced audits including only the Security/Common Criteria.
Regardless of the trust principles you select, as long as you pass the audit you’ll be able to describe your company as SOC2-compliant.
Generally speaking, most small organizations find it easier to initially pursue the Availability principle, while other add-on principles require investments in internal tooling and more complex changes. Some industries such as healthcare and financial services demand early focus on confidentiality and processing integrity, while companies in other industries may never see a requirement to comply with those trust principles.
How much should the audit cost?
Pricing varies significantly between auditors, and also depending on how many trust principles you include. Generally speaking, an audit for a startup with fewer than two hundred employees would range:
SOC 2 Type I: $15,000-$25,000
SOC 2 Type II: $20,000-$35,000
Note that this is the price for just the audit, not total cost of becoming compliant. Total cost of compliance should also factor in things such as software licensed to assist and time spent by your team.
Which type should I do first?
Unless you have clear business requirements that demand a Type II report or specific trust principles, it’s generally less onerous to start becoming compliant with SOC 2 Type I. SOC 2 reports must be renewed annually, so in the following year you can move to Type II after becoming more comfortable with the ongoing requirements of SOC 2 compliance.
In short, most startups will be well-served by:
- Skipping the gap assessment and going into SOC 2 Type I;
- Selecting the Common Criteria and Availability trust principles initially, adding others if you are in a sensitive industry such as healthcare;
- After SOC 2 Type I, make sure you keep up to date on ongoing compliance tasks;
- Schedule a SOC 2 Type II for the following year when your compliance is up for renewal.
Usually, this is the quickest and most cost-effective way to become SOC 2 compliant for smaller companies and startups.
Will Pizzano, CISM is Founder of Sentant, a managed security and IT services provider that has helped dozens of companies achieve SOC 2 compliance. If you’re interested in help obtaining SOC 2 compliance, contact us.