SOC 2 Introduction
Your customers want it. Your customers (might) have it. What is SOC 2 and why does your startup need it?
SOC 2, which stands for System and Organization Controls report, is an auditing standard maintained by the American Institute of Certified Public Accountants (AICPA) to test an organization’s internal controls for information security and privacy. It’s an objective, third-party system that tells customers that they can trust your startup to handle their information with the utmost care.
This is the compliance audit most commonly sought by startups, particularly SaaS, as it’s relevant for any business that uses the cloud to store data. To become compliant, a startup must choose at least one or more trust services criteria and a type to test against.
There are three types of SOC reports:
You might hear the term ‘SSAE’ when referring to SOC audits. This refers to the AICPA’s Statement of Standards of Attestation Engagements: the regulations auditors use to evaluate companies and more specifically evaluate compliance controls.
In 2011 the AICPA revealed SSAE 16, formerly known as SAS 70, which required auditors to evaluate a startup’s internal controls and the impact the organization can have on the control environment. This was particularly important for auditors to accurately assess a company’s financial statements (SOC 1).
In 2017 the AICPA replaced SSAE 16 with SSAE 18, an assessment standard covering both SOC 1 and SOC 2. The main purpose of the update was to demand companies to take more control and accountability over third-party vendors. The new standard requires businesses to apply the same risk assessment standards to vendors they work with directly and indirectly.
Issued by the AICPA, the Trust Services Criteria evaluates how companies process information and manage customer data. This covers five components, which include security, privacy, availability, processing integrity, and confidentiality. In order to define the scope of the audit and the necessary controls, SOC 2 reports must address one or more of the criteria.
In 2013, the AICPA combined the TSC framework with the COSO framework, which is used to access the design, implementation, and maintenance of a startup’s controls. Complementary to the TSC, COSO’s five components include:
The TSC and COSO frameworks help businesses work towards a clear set of guidelines when achieving their SOC 2. Get more details on TSC and COSO in Section 3.
There are two types of SOC 2 reports companies can obtain: Type 1 and Type 2. The difference between Type 1 and Type 2 is design versus operating effectiveness.
A Type I tests design by looking at your description of controls at a particular point in time. A Type II tests operating effectiveness by collecting evidence of your controls in operation over a 6 to 12-month period. Check out our section on types here.
If your business does anything with data and software, or uses cloud computing, chances are you will need a SOC 2 audit at some point soon or in the future. Specifically designed for businesses that store data in the cloud, SOC 2 applies to almost every SaaS business.
A SOC 2 report is particularly important for growth-focused B2B startups that are looking to move upmarket and attract bigger customers. Today, enterprise buyers now require businesses to become SOC 2 compliant.
While most startups seek out a SOC 2 audit once reaching their Series A or B, it may be beneficial to do so beforehand if you’ve already begun selling to enterprise customers.
SOC 2 compliance is important because it:
Enterprise companies expect startups to meet the same procurement cycles and compliance requirements as other vendors (see: Growth strategy most founders overlook). In many cases, bigger customers will ask you to become SOC 2 compliant before working with them.
Savvy startups also use SOC 2 compliance as a competitive differentiator. Compliance doesn’t just tell enterprise buyers that you are open for business. It’s a powerful brand and marketing message that signals to the world that your startup is more established, credible, and attuned to your customer’s needs.
Compliance protects your startup against devastating financial and reputation losses. It ensures your company is built on solid processes that remain strong and secure as your team grows, your product becomes more complex, and you take on bigger clients. Without it, you put yourself, your startup, and your customers at risk of losing it all.
This chapter guides you through what the SOC 2 trust services criteria and COSO frameworks are. We’ll help you understand how to think about the scope of your SOC 2.
Let’s talk about the differences between a SOC 2 Type 1 and Type 2 report. How do the types of SOC 2 reports impact your business?
This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.
Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.
How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.
This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.
This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.