A SOC 2 audit is an examination of a service organization’s compliance with SOC 2, according to the Trust Service Criteria defined by the AICPA.
A SOC 2 Type 1 report covers:
Because a Type 1 report is framed around a specific date, it does not show tests of controls or the results of tests. Generally, the CPA that executes the audit will issue an opinion, which addresses the suitability of control architecture.
During a Type 2 audit, the auditors will look over the description of controls to better understand how to test them and judge the effectiveness.
In a SOC 2 Type 2 report, the auditor will issue a similar opinion as a Type 1 with the addition of operating effectiveness. Controls are evaluated over a period of time, typically a 12 month period. The report shows descriptions of control tests and results by the auditor.
Any certified public accountant (CPA) affiliated with the AICPA can perform a SOC 2 audit.
Realistically, technology-forward businesses should hire an auditor that is familiar with the SOC 2 framework. They can quickly and easily evaluate a security posture. While that does include big-name firms, there are plenty of accounting firms that specialize in security audits that cost much less.
A couple of weeks to several months.
Unfortunately, the length of a SOC 2 audit is variable. A SOC 2 audit can last anywhere from a week to multiple months. This is based on preparation, organization of evidence, and communication with auditors.
This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.