Getting Started with SOC 2 Reports

Need some help getting started with SOC 2 Reports and don’t know where to begin?

Before you get stuck in a Google rabbit hole, the following are some best practices based on our experiences.

  • The SOC 2 Trust Services Criteria (TSCs) consists of five Categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security is required; the other four are optional and each Category is made up of Criteria.

  • During a SOC 2 audit, organizations will be required to demonstrate to their auditors that they have sufficient controls in place to meet all the criteria for the in-scope Categories.

  • For each control, the auditor will request evidence to illustrate that the controls are designed appropriately and operate effectively.

  • The audit must be performed by a CPA firm.

  • There are two types of SOC 2 examinations: Type 1 and Type 2. A Type 1 only covers the design of controls as of a specified date and a Type 2 covers design and operating effectiveness of controls over a period of time.

  • At the end of the audit, the CPA firm will issue a SOC 2 report that includes its opinion on whether controls are appropriate to meet the criteria.

Depending on the size of a company, some control areas may cause angst for some. The list below outlines someof the most important control areas to take into consideration for your SOC 2 journey.

  • Governance – Policies for governance over security need to be established.
  • Communication to Leadership – Formal procedures need to be established to communicate the state of security to leadership on a regular cadence.
  • Risk Assessment – Threat events need to be identified and quantified annually based on likelihood of occurrence and impact on the organization.
  • HR Controls – New hires and current employees need to sign off on policies and complete security awareness training and performance reviews annually.
  • Background Checks – Backgrounds for new hires must be validated. Country-specific and privacy laws can make this one complicated.
  • Endpoint Security – Endpoints will require endpoint protections.
  • Onboarding/Offboarding – Workflows need to be implemented to ensure these processes can be audited.
  • Security Monitoring – Events that indicate incidents should trigger alerts to personnel.
  • Business Continuity – Plans need to be documented and DR procedures need to be tested annually.
  • Vendor Risk Management – Security controls for key vendors need to be monitored and reviewed annually.

Additionally, before committing to a date to deliver a SOC 2 Type 2 report to a customer, you should be aware of the following:

  • Your customers will probably expect your first SOC 2 Type 2 report to cover an audit period of six months.

  • In ourexperience, on average, it takes three to six months to remediate control gaps to ensure SOC 2 control requirements are met. Time is needed to formalize policies and procedures, make changes to software, integrate new workflows, and implement tools required for security.

  • All controls need to be in place on day one of the SOC 2 Type 2 audit period. If they aren't, you risk having significant exceptions noted in your report.

  • CPA firms must have a quality control (QC) process in place. It could take four to six weeks to complete. The QC process starts when testing is completed, which will be near the end of the audit period.

Based on the above, it could take one year or more from the day you begin your SOC 2 journey to the day you obtain a SOC 2 Type 2 report. Our recommendation is to complete a SOC 2 Type 1 examination first to show customers you are on your way to a SOC 2 Type 2. The Type 1 examination will cover a specific day and you can schedule your audit with a CPA firm shortly after the second bullet point above is completed.

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at

About SOC 2 Reports

With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

Schneider Downs SOC Resources

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Staying Secure During Vacation Season
What Should a Service Organization Consider When Determining Its SOC Report Testing Period?
Lincoln College Closes Due to Ransomware Attack
What Were the Most Routinely Exploited Vulnerabilities of 2021?
What is blockchain? How can I secure my blockchain environment?
The Benefits of a Compliance Automation Platform
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.