LISTEN TO THE LESSON

|

A SOC 2 Type 1 report covers:

Because a Type 1 report is framed around a specific date, it does not show tests of controls or the results of tests. Generally, the CPA that executes the audit will issue an opinion, which addresses the suitability of control architecture.

Type 2 audit

During a Type 2 audit, the auditors will look over the description of controls to better understand how to test and judge the effectiveness. In a SOC 2 Type 2 report, the auditor will issue a similar opinion as a Type 1 with the addition of operating effectiveness. Controls are evaluated over a period of time, typically a 12 month period. The report shows descriptions of control tests and results by the auditor.

Who can audit my SOC 2 compliance?

Any certified public accountant (CPA) affiliated with the AICPA can perform a SOC 2 audit. Realistically, technology-forward businesses should hire an auditor that is familiar with the SOC 2 framework. They can quickly and easily evaluate a security posture. While that does include big-name firms, there are plenty of accounting firms that specialize in security audits that cost much less.

How long does a SOC 2 audit take?

A couple of weeks to several months. Unfortunately, the length of the audit is variable. It can last anywhere from a week to multiple months. This is based on preparation, organization of evidence, and communication with auditors.