A SOC 2 audit report is a 30-40 page document that describes a service organization’s controls and whether it stands up to scrutiny. An organization can choose a SOC 2 report that focuses on any of the five trust services criteria and either a Type 1 or Type 2.
Written by an AICPA (American institute of certified public accountants) accredited firm, a SOC 2 report serves mainly as auditor-to-auditor communication. It’s meant to be read, understood, and evaluated by other compliance and information security professionals. The use of this report is generally restricted.
A strong understanding of SOC 1, SOC 2, and SOC 3 are required to decide which SOC audit a business needs.
Once a business has determined which SOC attestation best fits their goals, they’ll want to pick between the two SOC 2 Types: SOC 2 Type I and SOC 2 Type II. (See section 4 for more details on SOC 2 Types)
All SOC reports are verified by the AICPA and tested against one or more of the trust services criteria. (Learn more about TSC’s here)
We’ve seen SOC 2 audits start around $20,000 for startups and cost hundreds of thousands for larger companies. Your cost will depend on a number of factors:
For the audit and report alone, expect to pay $10,000 to $30,000 for a SOC 2 Type 1 audit and around $30,000 for a SOC 2 Type 2 audit.
Only an AICPA accredited CPA firm can conduct your SOC 2 audit. However, that doesn’t mean that every CPA firm is a good fit for your startup’s SOC 2 audit. (See audit section)
Certain auditors are more startup-friendly than others. Find a CPA that understands the specific needs of tech-focused startups over more traditional companies. For example, you’ll want to work with an auditor who understands the impact cloud-based information storage, co-working spaces, and other unique considerations have on compliance.
As mentioned previously, a SOC 2 report is particularly important for growth-focused B2B startups that are looking to move upmarket and attract bigger customers. Today, enterprise buyers now require businesses to become SOC 2 compliant.
Enterprise companies may love your product or service, but can’t accept proposals until businesses answer 100-question security questionnaires. In order to fill those out, businesses need to have a SOC 2 program in place.
A SOC 2 report not only shows enterprises that your business is established, credible, and attuned to customers’ needs, but also ready to answer their due diligence questions quickly and efficiently.
A SOC 2 report is broken down into four sections: Independent Auditors Report, Management Assertions, Description of the System, and Auditor’s Tests of Controls and Results of Test. Let’s break down the four:
What is the independent auditor’s report?
The report from the auditor provides the service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives. Your auditor will provide an opinion of how the business tests against the Trust Services Principles in scope.
If the auditors’ opinion agrees with the next section, management assertions, a business will receive a clean bill of health, meaning a service organization’s system can be trusted.
What are management assertions?
Management assertions provide facts and assertions made by the service organization that relates to the systems under audit. The business is responsible to provide complete, accurate, and reliable information for the assessment.
What is the description of the system?
The description of the system section provides an overview of the business services/offerings, and structure. This section will cover what the business is used for, what kind of data the system holds and transmits, and an overview of the types of users. It also includes information on the internal business information like where employees are located, the types of teams the company leverages, and more.
What are the auditor’s tests of controls and results of tests?
The auditor’s tests of controls and results of tests section will typically be displayed in a matrix:
Between SOC reports, audit firms sometimes issue ‘Bridge Letters’ to serve as intermediate validation that can be useful for your sales and security diligence conversations.
Your SOC 2 report lasts for one year. That means, once a year passes from your completed audit, you will need to undergo the process again.
This is because startups grow, processes and systems become more complex, and teams change. It doesn’t take long for an ambitious startup to outgrow its audit. This means the evidence you gather and the controls your auditor tests in your subsequent annual SOC 2 audits will likely look different from your first.
While there’s no obligation to pursue compliance to begin with, much less every year, you run the risk of upsetting customers and blocking sales, particularly bigger enterprise deals, by operating on a stale SOC 2 report.
Remember, many enterprise customers won’t consider working with a startup without SOC 2 in place (See, Introduction for More Information)