This article is part of Laika University

SOC 2 Introduction

Your customers want it. Your customers (might) have it. What is SOC 2 and why does your startup need it?

Background

What is SOC 2?

SOC 2, which stands for System and Organization Controls report, is an auditing standard maintained by the American Institute of Certified Public Accountants (AICPA) to test an organization’s internal controls for information security and privacy. It’s an objective, third-party system that tells customers that they can trust your startup to handle their information with the utmost care.

This is the compliance audit most commonly sought by startups, particularly SaaS, as it’s relevant for any business that uses the cloud to store data. To become compliant, a startup must choose at least one or more trust services criteria and a type to test against.

What’s the difference between SOC 1, SOC 2, and SOC 3?

There are three types of SOC reports:

  • SOC 1: Service Organization Control 1 evaluates the effect of service organization controls on financial statements. For example, say your SaaS startup provides billing services to large companies. Chances are your customers will require the startup to become SOC 1 compliant because the startup’s billing process impacts their financial reporting. (See our section on SOC 1 vs SOC 2 for more details)
  • SOC 2: Service Organization Control 2 is a procedure that examines service providers. The audit determines if they are securely managing 3rd party data, like personal information, to protect information and ensure privacy. Compliance with SOC 2 is usually a requirement when considering SaaS providers.
  • SOC 3: Service Organization Control 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. Like all other SOC certifications, it was established by the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC).

What is SSAE 16 and SSAE 18?

You might hear the term ‘SSAE’ when referring to SOC audits. This refers to the AICPA’s Statement of Standards of Attestation Engagements: the regulations auditors use to evaluate companies and more specifically evaluate compliance controls.

In 2011 the AICPA revealed SSAE 16, formerly known as SAS 70, which required auditors to evaluate a startup’s internal controls and the impact the organization can have on the control environment. This was particularly important for auditors to accurately assess a company’s financial statements (SOC 1).

In 2017 the AICPA replaced SSAE 16 with SSAE 18, an assessment standard covering both SOC 1 and SOC 2. The main purpose of the update was to demand companies to take more control and accountability over third-party vendors. The new standard requires businesses to apply the same risk assessment standards to vendors they work with directly and indirectly.

What is the Trust Services Criteria?

Issued by the AICPA, the Trust Services Criteria evaluates how companies process information and manage customer data. This covers five components, which include security, privacy, availability, processing integrity, and confidentiality. In order to define the scope of the audit and the necessary controls, SOC 2 reports must address one or more of the criteria.

What is the COSO framework?

In 2013, the AICPA combined the TSC framework with the COSO framework, which is used to access the design, implementation, and maintenance of a startup’s controls. Complementary to the TSC, COSO’s five components include:

  • Risk assessments
  • Information and communication
  • Existing control activities
  • Monitoring activities
  • Control environments

The TSC and COSO frameworks help businesses work towards a clear set of guidelines when achieving their SOC 2. Get more details on TSC and COSO in Section 3.

What are the types of SOC 2 reports?

There are two types of SOC 2 reports companies can obtain: Type 1 and Type 2. The difference between Type 1 and Type 2 is design versus operating effectiveness.

A Type I tests design by looking at your description of controls at a particular point in time. A Type II tests operating effectiveness by collecting evidence of your controls in operation over a 6 to 12-month period. Check out our section on types here.

What kinds of companies need SOC 2?

If your business does anything with data and software, or uses cloud computing, chances are you will need a SOC 2 audit at some point soon or in the future. Specifically designed for businesses that store data in the cloud, SOC 2 applies to almost every SaaS business.

A SOC 2 report is particularly important for growth-focused B2B startups that are looking to move upmarket and attract bigger customers. Today, enterprise buyers now require businesses to become SOC 2 compliant.

While most startups seek out a SOC 2 audit once reaching their Series A or B, it may be beneficial to do so beforehand if you’ve already begun selling to enterprise customers.

Why is SOC 2 compliance important for startups?

SOC 2 compliance is important because it:

  • Helps businesses move through enterprise procurement
  • Establishes credibility between you and your competitors
  • Protects sensitive data from hacks or threats

Enterprise companies expect startups to meet the same procurement cycles and compliance requirements as other vendors (see: Growth strategy most founders overlook). In many cases, bigger customers will ask you to become SOC 2 compliant before working with them.

Savvy startups also use SOC 2 compliance as a competitive differentiator. Compliance doesn’t just tell enterprise buyers that you are open for business. It’s a powerful brand and marketing message that signals to the world that your startup is more established, credible, and attuned to your customer’s needs.

Compliance protects your startup against devastating financial and reputation losses. It ensures your company is built on solid processes that remain strong and secure as your team grows, your product becomes more complex, and you take on bigger clients. Without it, you put yourself, your startup, and your customers at risk of losing it all.

Icon

SOC 2 vs SOC 1

Keep Reading
Jump to a section:
03 SOC 2 Criteria 04 SOC 2 Type 1 vs Type 2 05 SOC 2 Cost 06 SOC 2 Controls List 07 SOC 2 Audit 08 SOC 2 Report 09 SOC 2 Checklist
Icon

SOC 2 Criteria

This chapter guides you through what the SOC 2 trust services criteria and COSO frameworks are. We’ll help you understand how to think about the scope of your SOC 2.

Icon

SOC 2 Type 1 vs Type 2

Let’s talk about the differences between a SOC 2 Type 1 and Type 2 report. How do the types of SOC 2 reports impact your business?

Icon

SOC 2 Cost

This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.

Icon

SOC 2 Controls List

Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.

Icon

SOC 2 Audit

How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.

Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Shape
Jump to a section:
03 SOC 2 Criteria
Icon

SOC 2 Criteria

This chapter guides you through what the SOC 2 trust services criteria and COSO frameworks are. We’ll help you understand how to think about the scope of your SOC 2.

Learn more
04 SOC 2 Type 1 vs Type 2
Icon

SOC 2 Type 1 vs Type 2

Let’s talk about the differences between a SOC 2 Type 1 and Type 2 report. How do the types of SOC 2 reports impact your business?

Learn more
05 SOC 2 Cost
Icon

SOC 2 Cost

This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.

Learn more
06 SOC 2 Controls List
Icon

SOC 2 Controls List

Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.

Learn more
07 SOC 2 Audit
Icon

SOC 2 Audit

How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.

Learn more
08 SOC 2 Report
Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Learn more
09 SOC 2 Checklist
Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Learn more
Shape Shape

Enterprise-ready compliance that never slows you down

Request a Demo Background

Sign up for our newsletter