Fact or Fiction: SOC 2

There is a lot of misleading information about SOC 2 audits out in the wild. Hopefully, this article clears up some of the confusion.

Myth: SOC 2 audits result in certification and compliance reports

SOC 2 audits do not result in a "certification" or "compliance" report. CPA firms render their opinion and the result is a report explaining their opinion.

Myth: SOC 2 audits are pass/fail only

There is no pass/fail result. The result of the audit will be either Unqualified (all criteria met), Qualified (most criteria met) or Adverse (several criteria not met)

Myth: Control Exceptions do not impact results

Control exceptions can exist and result in an unqualified opinion.

Myth: SOC 2 Type 1 audits are a pre-requisite for SOC 2 Type 2 audits

SOC 2 Type 1 audits are not required before undergoing a SOC 2 Type 2 audit.

Myth: SOC 2 audits can be completed in about two weeks

SOC 2 audits cannot be completed in 2 weeks - even if using software to prepare, you then need to take time to find a CPA firm and get on their schedule. After that, the audit itself could take 2-3 weeks to complete.

Myth: There is one set of standard controls for SOC 2 audits

Controls are not prescriptive or required. You can meet the criteria how you see fit (hopefully, an auditor will agree with your approach).

Myth: SOC 2 audits only focus on infrastructure and software

The audit will cover more than your infrastructure and software. Several security criteria deal with controls such as policies, onboarding/offboarding procedures, risk management, training, governance, and vendor management.

Myth: All SOC 2 Trust Service Categories are required

All categories are not required - Only security is required.

While we’re at it, let’s clear up some confusion about the relationships between the SOC 2 Trust Services Categories, Criteria, Controls, Points of Focus and Evidence, and do some math.

Categories – The subject matter covered in a SOC 2 audit. There are five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Criteria – Each Category has its own set of Criteria. There are 61 Criteria (33 for Security, 3 for Availability, 2 for Confidentiality, 5 for Processing Integrity, and 18 for Privacy).

Controls – Policies and procedures that are part of the entity’s system of internal control. Each Criteria must be met by controls implemented by the entity.

Points of Focus – Important characteristics of the criteria and may be used by the entity when designing, implementing, and operating controls. The Points of Focus are not Controls and are not required to be met.

Evidence – For each Control, artifacts will be needed to support that Controls are in place.

On average there will be two to three unique controls required for each Criterion. A SOC 2 audit covering Security may require about 80 controls. A SOC 2 audit covering all Categories may require about 150 controls. For each Control, 1 to 2 pieces of evidence may be required.

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc

About SOC 2 Reports

With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

Schneider Downs SOC Resources

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Norton Believes Credential Stuffing Attack Led to LifeLock Breach
Why Cybersecurity Programs are Facing Increased Scrutiny from Private Equity Firms
Start The New Year Off Secure: 5 Cybersecurity Resolutions for 2023
TikTok: Spreading Holiday Cheer and Personal Information
Cybersecurity BY David Murphy
Key Benefits of Server Message Block Signing
SEC and PCAOB Developments Conference Day 1
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.