May 9, 2023

What's a SOC 2 Report and Why Are Your Clients Asking for It?

Devon Lane
Founder and CEO
at Flowbase

By now, if you’re a SaaS vendor that serves enterprise clients, you’ve likely heard about SOC 2. Today’s enterprises are under more scrutiny than ever from regulators and customers alike. Why? Because they handle, store, and process large amounts of customer data that could be compromised in the case of a breach. 

SOC 2 is a framework that provides criteria for how companies can and should manage customer data based on security, privacy, confidentiality, availability, and processing integrity. Enterprises that operate on the cloud have largely been mandated to be SOC 2 compliant — and that means that they’re now looking for the same levels of security and privacy from their SaaS vendors. 

To provide a little more clarity on what SOC 2 is and how it works, we’ve put together some of the key details for you below.

Audit types

Before diving into the SOC framework, it is important to understand the three different types of audits your company can perform:

  • Internal: Run internally by your team, it is put in place to measure and control internal standards and processes.
  • External second: Run by another company — such as a client — to ensure that your company is meeting the requirements specified in the contract.
  • External third party: Run by an independent auditing company to validate that your company is conforming to a set of standards, such as the SOC standards.

What’s great about third-party audits is that they allow you to privately distribute a report to prospects and customers. It also enables you to add a logo to your website, proving compliance with industry standards.

Understanding the SOC framework

Now that we’ve addressed that, let’s take a closer look at the framework itself. 

What it is

SOC, which stands for Service Organization Control, is a reporting framework. As such, at the end of a third-party audit, companies are granted with a report that outlines their level of compliance and are the result of auditing standards followed by the auditors.

Who is in charge? 

The American Institute of CPAs (AICPA) is in charge of designing and maintaining the SOC framework. It is updated regularly to adjust to the fast-moving industry.

Differences between SOC 1 and SOC 2

Both SOC 1 and SOC 2 audits exist to validate the controls in place at your company and let your clients know that you are following industry standards.

SOC 1 is used to audit the controls relevant to your company’s finances.

SOC 2 is used to audit the controls relevant to the security, availability, or processing integrity of either a system you are running, or the information the system processes.

Differences between Type 1 and Type 2

Both SOC 1 and SOC 2 reports exist in two flavors:

Type 1: This is a point-in-time audit, during which auditors evaluate and report on the design of controls your company put into place as of a point in time. This is a great way to show good faith to your customers.

Type 2: This happens over a period of time. This type of audit follows a Type 1 audit and is what your larger customers will be after. Auditors usually recommend taking between four and six months for the first audit, and between six to 12 months for consequent audits. It is important to note that there are no requirements or standards for the audit duration other than a three-month minimum.

At the end of the audit period, auditors will come on-site and review the controls put in place during the Type 1 audit. For a Type 2 audit, however, auditors will ask for historical data. This is how you show your clients and customers that you are continuously following industry standards.

As an example, let's assume that you have a procedure in place to revoke access to a terminated employee:

  • During a Type 1 audit, auditors will review this policy and make sure it conforms to the SOC 2 standard.
  • During a Type 2 audit, the auditors will ask you for a list of all employees who left during the audit period and look for proof that you followed the policy in each instance.
become-soc-2-certified

Do I need a SOC 2 report? 

If your company offers a SaaS solution, a SOC 2 report will prove to your clients that you are handling their data safely by following trusted industry standards. It will make the difference between you and your competitors. Starting with a SOC 2 Type 1 report is a great first step to understanding the technicalities of the audit before moving to the SOC 2 Type 2 cycle.

If you are interested in hearing more or have any questions regarding SOC 2 audits, contact us. We specialize in assisting companies prepare for SOC 2 audits and want to help you make the process smoother and faster.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog