How do you determine what SOC report you need?
A strong understanding of SOC 1, SOC 2, and SOC 3 are required to decide which SOC audit a business needs.
- SOC 1: evaluates the effect of a service organization’s controls on a customer’s financial reporting
- SOC 2: evaluates if service providers are securely managing customer data, like personal information, to protect and ensure privacy; the most common framework for SaaS providers
- SOC 3: a public report of internal controls over security, availability, processing integrity, and confidentiality
Once a business has determined which SOC attestation best fits their goals, they’ll want to pick between the two SOC 2 Types: SOC 2 Type I and SOC 2 Type II. (See section 4 for more details)
- Type 1: tests design by looking at your description of controls at a particular point in time
- Type 2: tests operating effectiveness by collecting evidence of your controls in operation over a 6 to 12-month period
All SOC reports are verified by the AICPA and tested against one or more of the trust services criteria. (Learn more about TSC’s here)
- Security: focuses on the protection of information and systems against unauthorized access
- Availability: addresses network performance, downtime, security event handling, etc
- Processing Integrity: addresses processing errors and how long it takes to detect and fix them, as well as the incident-free storage and maintenance of data
- Confidentiality: addresses the handling and protection of information (personal or not) that you’ve agreed to designate confidential and secure for your customers
- Privacy: addresses the secure collecting, storing, and handling of personal information
How much does a SOC 2 report cost?
We’ve seen SOC 2 audits start around $20,000 for startups and cost hundreds of thousands for larger companies. Your cost will depend on a number of factors:
- Team size and distribution
- Lack or abundance of control documentation
- Complexity of services as well as the number and complexity of processes
- Scope of your audit (Trust Services Criteria and Type 1 or 2)
- Reputation of your auditor
For the audit and report alone, expect to pay $10,000 to $30,000 for a SOC 2 Type 1 audit and around $30,000 for a SOC 2 Type 2 audit.
Who can perform a SOC 2 Audit?
Only an AICPA accredited CPA firm can conduct your SOC 2 audit. However, that doesn’t mean that every CPA firm is a good fit for your startup’s SOC 2 audit. (See audit section)
Certain auditors are more startup-friendly than others. Find a CPA that understands the specific needs of tech-focused startups over more traditional companies. For example, you’ll want to work with an auditor who understands the impact cloud-based information storage, co-working spaces, and other unique considerations have on compliance.
How are SOC 2 reports used in the sales process?
As mentioned previously, a SOC 2 report is particularly important for growth-focused B2B startups that are looking to move upmarket and attract bigger customers. Today, enterprise buyers now require businesses to become SOC 2 compliant. Enterprise companies may love your product or service, but can’t accept proposals until businesses answer 100-question security questionnaires. In order to fill those out, businesses need to have a SOC 2 program in place. A SOC 2 report not only shows enterprises that your business is established, credible, and attuned to customers’ needs, but also ready to answer their due diligence questions quickly and efficiently.
What is the structure of a SOC 2 report?
A SOC 2 report is broken down into four sections: Independent Auditors Report, Management Assertions, Description of the System, and Auditor’s Tests of Controls and Results of Test. Let’s break down the four:
What is the independent auditor’s report?
The report from the auditor provides the service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives. Your auditor will provide an opinion of how the business tests against the Trust Services Principles in scope. If the auditors’ opinion agrees with the management assertions, a business will receive a clean bill of health, meaning a service organization’s system can be trusted.
What are management assertions?
Management assertions provide facts and assertions made by the service organization that relates to the systems under audit. The business is responsible to provide complete, accurate, and reliable information for the assessment.
What is the description of the system?
The description of the system section provides an overview of the business services/offerings, and structure. This section will cover what the business is used for, what kind of data the system holds and transmits, and an overview of the types of users. Moreover, this section includes information on the internal business information like where employees are located, the types of teams the company leverages, and more.
What are the auditor’s tests of controls and results of tests?
The auditor’s tests of controls and results of tests section will typically be displayed in a matrix:
- Objectives related to the criteria of the report
- Controls in place at the service organization to meet the objectives
- Auditor’s tests of the controls
- Results of the tests
What is a bridge letter?
Between SOC reports, audit firms sometimes issue ‘Bridge Letters’ to serve as intermediate validation that can be useful for your sales and security diligence conversations.
How often do you need to get a new report?
Your SOC 2 report lasts for one year. That means, once a year passes from your completed audit, you will need to undergo the process again.
This is because startups grow, processes and systems become more complex, and teams change. It doesn’t take long for an ambitious startup to outgrow its audit. This means the evidence you gather and the controls your auditor tests in your subsequent annual SOC 2 audits will likely look different from your first.
While there’s no obligation to pursue compliance to begin with, much less every year, you run the risk of upsetting customers and blocking sales, particularly bigger enterprise deals, by operating on a stale SOC 2 report.
Remember, many enterprise customers won’t consider working with a startup without SOC 2 in place.