SaaS companies are scrambling to get SOC 2 compliant, and fast. But why? Because demonstrating information security reduces sales barriers, boosts customer trust and ensures the protection of sensitive data.
But getting SOC 2 compliant is super complicated and eats up loads of time for employees. Moreover, many organizations lack the knowledge and experience required for SOC 2, and have no idea where to begin.
SOC 2 (Service Organization Controls 2) is a set of compliance requirements geared for technology-based companies that use cloud-based storage of customer data. SOC 2 is both an audit procedure and criteria. SOC 2 is a voluntary compliance standard that specifies how an organization should manage internal controls.
The American Institute of Certified Public Accountants (AICPA introduced SOC 2 in response to growing concerns over data protection and security. The AICPA developed a set of criteria to be used when evaluating an organization’s design and operating effectiveness of controls relevant to the Trust Service Principles (TSP): Security, Availability, Confidentiality, Processing Integrity, and/or Privacy. An organization addresses risks through the implementation of suitably designed controls that, if operating effectively, ensures the organization achieves its objectives, based on the TSP.
SOC 2 is not mandatory, however it is highly advised for service providers or SaaS companies that store, process, or transmit customer data. It is in the best interest of the organization, to ensure security protocols are in place and operating effectively to protect their customers’ data. More and more companies are seeking SOC 2 reports with an ever expanding digital world, the security risks that come with it, as well as more customers making it a ‘must’ in order to do business with technology-based organizations.
It is applicable for companies in a wide range of industries, including but not limited to:
FinTech
Healthcare
Cybersecurity
Marketing & Sales
Human Resource
Banking
Insurance
Payment service providers
Data center hosting providers
Business Intelligence
There are very distinct reasons as to why SaaS companies need a SOC 2 and why it is in the best interest of the company. SOC 2 can also place a company at an advantage when it comes to your operating market, as well as sales potential.
Key benefits of SOC 2 and why the report matters:
Customer Requirements
Many potential customers will demand a company’s SOC 2 report before entering into any business deal or even proceeding to any further sales discussions. Therefore, without SOC 2, companies are very likely to lose valuable business or fail to reach full potential. Achieving and maintaining SOC 2 compliance also plays a major role in customer retention. In addition, it assists in meeting and attaining contractual obligations.
Competitive Advantage
Demonstrating SOC 2 allows a company to stand out amongst other players in the market that have not made the decision to undergo the attestation. It gives customers comfort and confidence in their decision to work with software providers, and could even be a deal breaker for some customers. The report takes a company to the next level through compliance, as the choice has been made to undergo a SOC 2 audit for the greater good of the company and its customers. With this in mind, a SOC 2 report leads to an increase in sales and deals being closed faster, with the customers that request the report.
Reduce security risks and consequences
SOC 2 ensures a company’s security posture is of an indestructible standard. Therefore, SOC 2 significantly reduces any chance of data breach, human mistake or fraud and the consequences that come with such an incident. Audit costs can be quite costly but fines due to a data breach causes financial damage. Then, there is also reputational damage that sits with the company’s name.
According to Verizon’s 2021 Data Breach Investigation Report, there were 5250 confirmed breaches.
Security Commitment
SOC 2 demonstrates to the public a company’s dedication to a high level of information security. Protecting customer data also means protecting the financial information as well as other sensitive information of user entities or clients. However, it also shines light on a company’s ethics, professionalism and quality standards In addition, it improves risk management and identifies improvement opportunities.
Once an organization decides to undergo SOC 2, one of the first steps is identifying which of the five Trust Service Principles to include in the report. The five Trust Service Principles are Security, Availability, Processing Integrity, Confidentiality and Privacy. An organization can choose to address one or more of these principles, with Security being mandatory. It is not required for an organization to address all the principles. However, it is advised that the principles that apply to the organization and the services it provides to its customers, should be included.
The Five Trust Service Principles:
| Security | Security evaluates the effectiveness of data security systems. The system must be protected against unauthorized access and data breach. Some security controls are logical firewalls, MFA (multi-factor authentication), and unified endpoint management, anti-virus, access control, and password management. |
|---|---|
| Availability | The system should always be up for use by customers (or at least 99% of time). Availability ensures continuous delivery, minimal disruptions and reliable performance of systems. For this to happen, there must be a process to monitor whether the system meets its minimum acceptable performance, security incident handling, backups, restoration and disaster recovery. |
| Processing Integrity | Refers to data being complete, accurate and delivered on time. This trust principle covers process validation and internal quality assurance. Processing Integrity ensures that system functions and transaction processing are accurate, timely and have no delays or errors. |
| Confidentiality | Identify, manage, protect from destruction and disposal of confidential data. Some practices for maintaining confidentiality are encryption, limiting access controls only to authorized personnel, asset mapping, classification, labeling, audit trail and more. The main difference between Confidentiality and Privacy is that Confidentiality protects confidential/non-personal information, while Privacy protects personal information. |
| Privacy | Addresses whether the system’s collection, use, retention, disclosure and disposal of personal information is in line with an organization’s privacy policy, as well as with the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details related to an individual’s identity, such as full name, physical address, bank account number and social security number. Controls must be put in place to protect all PII from unauthorized access. |
There are two types of SOC 2 audit reports that an organization can choose to undergo: Type I and Type II.
Type I
A SOC 2 Type I reports on the suitability of the design of an organization’s relevant trust service criteria controls. Therefore, it reports at a point in time with a specified date (and a shorter time to be audit-ready).
Type II
A SOC 2 Type II reports on the suitability of the design and operating effectiveness of an organization’s relevant trust service criteria controls. Therefore, it reports over a period of time, usually a three-to-twelve-month period is advised by the AICPA.
The next step is identifying whether type I or type II is best for an organization.
Type I is a great starting point for an organization that is new to the SOC 2 compliance journey. Alternatively, Type II is also suitable for an organization that wants to demonstrate its information security relatively quickly but can not afford to undergo an entire observation period, due to a lack of time or other resources. SOC 2 Type I is ideal for smaller companies that have not yet developed a mature information security management system. It will provide them with all the fundamentals of SOC 2, as well as prepare them for a type II. However, an organization can only undergo a Type I once, and thereafter must undergo a Type II audit if/when the organization decides to.
Type II proves an excellent and reliable security system and its effectiveness. After receiving a SOC 2 Type II report, an organization needs to remain consistent with the objectives of these controls. Type II is always recommended as it is a comprehensive examination that proves a high-level of security, due to its evaluation of the operating effectiveness of the relevant controls. Additionally, if an organization is established with sound security systems and controls in place already, then Type II is definitely the report to undergo. Type II is also often requested specifically from customers during the sales process (mainly from the security, legal or compliance departments). This is due to the consistent and accurate evaluation of an organization’s trust service criteria controls, over the period of time.
Many companies that have decided to undergo SOC 2 compliance simply don’t know where to begin, how long the process will take and what it entails from start to finish. The following is a general summary of the process of achieving SOC 2.
For startups, first-timers and companies that do not have a compliance specialist, it will be extremely helpful for hands-on guidance during the preparation process. Professional advice is needed regarding a company’s current security, availability, confidentiality, processing integrity and privacy status versus the SOC 2 framework, best-practices and the particular scope necessary for the report.
In a 2021 study published by Cloud Security Alliance (CSA), lack of knowledge and expertise was identified as the primary barrier (59%) to general cloud security and the primary cause (62%) of misconfigurations. This statistic highlights and elevates the importance of utilizing a trusted compliance partner to provide the relevant cloud security training and knowledge needed to dominate cloud security.
A crucial part of SOC 2 is identifying which of the five Trust Service Principles (explained under 1.3) are necessary to include in the audit. The controls that will be monitored will be dependent on which TSPs are included. A fixed list of controls under each Criteria (meaning not a customized list tailored for your organization) is not best practice as every organization is different. Therefore, the controls should cover specific risks and aspects that are relevant to a particular company. The selected SOC 2 partner will assist in identifying which controls are necessary for each organization. Another part of scoping is deciding on timelines for the audit. This will include deciding on the reporting period if the company is undergoing a SOC 2 Type II, and should be based on the readiness and business objectives.
Only a licensed and independent CPA firm that specializes in IT audits or information security can conduct a SOC 2 audit. The firm must be AICPA-affiliated and comply with all the guidelines and updates provided by the AICPA. When choosing a suitable auditor, it is important to select an auditor that understands the specific industry a company operates in and the needs and culture of the organization. An important consideration is choosing a firm in which the auditors have extensive experience and knowledge with SOC 2 audits and that have worked with companies similar in size. There are the Big 4 (KPMG, Deloitte, EY and PwC) and other large firms, as well as smaller, boutique firms. Audit costs and timeframes will also differ and are another consideration when selecting an auditor.
This part of SOC 2 preparation is vital as it not only assures whether or not a company is ready for their official audit, but highlights any areas that still require attention. A gap analysis will identify if the control environment meets the relevant standards of the SOC 2 criteria and any remediation necessary will take place. It is also essential to ensure all documentation is gathered, such as relevant policies and procedures, along with the implementation of all the agreed controls. The chosen SOC 2 partner will examine the design of the controls for the organization, and correct mapping for the relevant criteria and point of focus.
See below a general ‘checklist’ of some practices that will be reviewed to evaluate an organization’s SOC 2 readiness:
After a company undergoes its observation period if doing SOC 2 Type II (explained under 1.4), the official audit will take place. The auditor will assess the controls in place, specifically whether they are operating in the manner that has been stated and comply with the criteria outlined by the SOC 2 guide. The service auditor will issue the organization’s SOC 2 Type I or SOC 2 Type II report with details of the testing results.
It is important to note that SOC 2 is an attestation and not a certification. A SOC 2 report is an examination. The attestation report provides the auditor’s opinion, attesting whether the internal controls of a service organization are in place and meet the criteria of the Trust Service Principles. This is the reason why there is no pass or fail of SOC 2, but rather a professional opinion in the eyes of the auditor.
There are four types of audit opinions:
One year after a SOC 2 report is issued, it is vital to renew the report in order to remain competitive and maintain the standard of customer expectations. If an organization does not undergo a SOC 2 audit on an annual basis, it is very possible that certain customers will turn to competitors that are fully reliable and consistent with InfoSec compliance. The golden rule is that a SOC 2 audit should be scheduled every 12 months. Companies should be continuously monitoring their relevant controls throughout the year ensuring compliance remains on-track and that compliance objectives are being met. This also includes ensuring policies and procedures are updated. Continuous audit management also ensures an organization remains SOC 2 ready prior to the audit – waiting a month before the scheduled audit to ensure everything is in order is not the best compliance practice.
The following is a general overview of a SOC 2 report and its different elements:
| Management’s Assertion | In this section, management explains to the auditor how the company’s system is designed and how it's expected to operate. |
| Auditor’s opinion | This is the professional opinion of the auditor regarding whether the results of the control testing have matched the management’s assertion and system description with the company's security commitments. |
| System Description – Section III Report | This section provides a holistic and detailed view of the company and its operations. It covers the people, processes, and technology that support the software and service provided. |
| Description and results of the tests | This includes a breakdown of the relevant controls being tested and their results during the reporting period. |
| Other information | Any other information regarding the controls that is deemed important to include in the report. |
In recent years, a number of software platforms, known as SOC 2 automation tools have made an appearance in the compliance space. They are designed to improve the SOC 2 preparation process and make attaining SOC 2 compliance faster and more simplified.
The most significant way that these tools enhance efficiency is by automating the evidence collection, which has traditionally been a manual collection process, as well as providing a centralized location for a company’s SOC 2 documentation. The auditor can access that information when performing the official audit and review the testing results of the controls. Depending on the features and functionality of the tool, they benefit both the organization and auditors significantly in making SOC 2 more efficient.
The below points summarize the key benefits of SOC 2 compliance automation technology:
Lighter workload
The reality is achieving SOC 2 compliance and maintaining it consistently is a dreaded task, involving all the preparation leading up to the official audit. This includes manual collection of documentation and evidence, spreadsheets, back and forth communication between the auditor and the organization and many other admin tasks.
Compliance automation tools automate, as well as centralize the collection of auditor-approved evidence and preparation all within the tool. It is very easy to track the status of SOC 2 workflows and find any required documentation. This massive reduction in manual compliance tasks saves teams significant amounts of time, effort and workloads during the SOC 2 preparation period.
Professional Support
Another major speedbump that SaaS companies experience, especially startups and first timers, is knowing how exactly the process works and where exactly to begin. These companies are often unfamiliar with compliance-specific terminology, and need guidance on requirements and execution methodology.
It is therefore highly recommended to have a SOC 2 expert accessible to provide hands-on support and guidance throughout each step of the way, significantly simplifying the process. SOC 2 automation and advisory services is the ideal combination for achieving compliance.
Customization of Controls
As many small to medium-sized companies often get lost in designing and selecting which controls are applicable to them, many have taken to utilizing a fixed list of controls. As mentioned earlier in the paper, the problem with this method is that each organization has its own unique risks based on its system, industry, data and organizational structure. Therefore, controls should be designed specifically to each organization and mapped in accordance to the relevant point of focus under the matched criteria.
The right SOC 2 partner will help customize a list of controls tailored to each organization. Organizations do not need to spend time trying to understand which controls need to be included, as the SOC 2 professionals will advise on which exact controls should be included in the SOC 2 reporting. This is based on the organization’s particular business operations, industry, risk and customers.
Time and money savings
A major concern of organizations undergoing SOC 2 compliance is the amount of time being occupied on getting ready for the audit. The preparation period interrupts employees’ daily role responsibilities. This can also cause a reduction and delays in sales. Another aspect is the costs involved, including high audit costs, SOC 2 consultants and any additional software needed.
Compliance automation, alongside advisory services significantly reduces and eliminates the majority of the time that would usually be spent on preparation and audit management. Due to the workloads that are being completed or reduced for auditors, this often also decreases audit costs.
Reduced human error
Without automation and smart technology, there is always an increased risk of failure in one way or another as humans are bound to make mistakes. When an organization relies heavily on manual processes performed by employees, there is a high chance of human error.
Compliance automation technology continuously collects evidence and monitors the compliance status. Therefore, when non-compliance is present, the tool will alert the organization and the issue can be rectified immediately. When security teams are monitoring their InfoSec systems without the help of automation, it is easy to miss a security problem or it is not caught immediately.
In addition, streamlining workloads all within the tool makes SOC 2 workflows centralized, yielding the SOC 2 process more organized, reliable and accurate.
In the same study by the CSA, mentioned earlier in the paper, breaches and incidents due to misconfigurations were caused mainly (68%) from a lack of security visibility and monitoring capabilities. Utilizing a smart compliance tool, allows an organization to have full visibility of their security posture and track the status of systems and procedures.
There is a significant overlap with some companies that require SOC 2 and some other major industry standards. A SOC 2 report may be sufficient for some customers. However, depending on the industry you operate in, some businesses require other industry frameworks. For example, healthcare and financial services have additional industry-specific regulations and requirements.
For this reason, the AICPA has created SOC 2+ reports.
SOC 2+ reports integrate multiple frameworks or security standards into one report i.e. SOC 2+. These frameworks include:
HITRUST
ISO 27001
NIST
COSO
COBIT
CSA
These reports can be used to demonstrate compliance not only in SOC 2, but also with other important frameworks and certifications.
Due to the incorporation of SOC 2 and these other frameworks, there are significant benefits for companies, making compliance more convenient and less redundant. Compliance is being revolutionized. Organizations are able to spend less time and fewer resources conducting preparation for these audits. Compliance violations are less likely to occur.
These overlaps have the potential to reduce overall compliance costs and workloads. Multiple testing for different compliance frameworks, multiple firms to perform different audits and other nuances that come with multiple compliance efforts can be significantly reduced and addressed in one report.
These efficiencies will increase the demand for integrated framework reports.
There is another framework, created by the AICPA that has significant overlaps with SOC 2 i.e. SOC for Cybersecurity.
SOC for Cybersecurity is a framework that provides a structured and transparent evaluation of an organization’s cybersecurity risk management practices.
Similar to SOC 2, a 3rd party CPA completes the assessment. Both reports contain management’s description, management’s assertions, and the auditor’s written assertion and opinion.
However, the following table outlines some key differences:
| SOC 2 | SOC for Cybersecurity | |
|---|---|---|
| Subject matter and scope | Reporting on a system and effectiveness of controls related to the TSP | Reporting on a cybersecurity risk management program |
| Audience | Limited, specialized audiences that need to vet specific service systems | Broad range of general users interested in the risk management program |
| Controls | Controls based exclusively on the five Trust Services Principles (TSP) | Controls baseline - can use a range of underlying frameworks — including TSP, NIST, COBIT, FISMA. |
| 3rd party risk | Choice to evaluate subservice organizations in report | Evaluation of subservice organizations included in report |
| Description of control testing and results | Yes | No |
| Report types | Type I and Type II | Design-only examination |
#1 Lack of leadership involvement or no designated project manager
SOC 2 has many moving parts that need to be managed well. Management should have a top-down approach, providing full support and being hands-on with the project and working directly with partners, auditors and employees. It also helps significantly if there is an employee that is assigned as the project manager. This is a common error that delays SOC 2 compliance and makes the process messy and unorganized.
#2 Underestimating the importance of a readiness assessment
Failing to assess whether a company is fully ready to undergo the official audit can cause major issues, such as control failures or missing required documentation. It is vital to undergo a gap analysis to detect any vulnerabilities and then allocate time to remediate them. This way, the audit will be a lot smoother and the company is more likely to pass with an unqualified opinion and reduce the risks for deviations noted.
#3 Thinking SOC 2 is a once-off achievement
A SOC 2 report is not a once-off examination. SOC 2 audits should be renewed once a year. This also means that continuous compliance and risk management needs to be attained over the period of 12 months in which the company will be tested. Auditors use the “Trust but Verify” approach which means evidence will need to be collected as a proof that compliance was reasonably sufficient over this period.
In a report by Forrester, it was found that SaaS adoption is rising quickly with ever-increasing percentages.
Global services decision-makers were asked whether they invest or plan to invest in technologies as part of their organization’s digital transformation strategy and if so, in which technologies.
See results below:
Source: Forrester Analytics Global Business Technographics® Business And Technology Services Survey, 2019
These results emphasize the heightened cyber risks and amplifies the need for adoption of compliance standards, like SOC 2, to prevent vulnerabilities such as potential ransomware attacks, social engineering threats, new endpoints to manage, and other security exposures. In the same study, data security and protection against cybercrime was the issue that most companies were concerned with the most.
In another 2020 research paper by Gartner surrounding “Transforming teams to lead with SaaS,” it highlights how SaaS is raising hurdles, such as malicious cyber attacks or negligent insider threats. The report states that, “the perceived ease of procuring and deploying SaaS belies the underlying complexity of ensuring governance and security without compromising user experience (UX) and user productivity.”
There is a continuing growth of SaaS companies and percentage of businesses who are using SaaS applications within their business operations.
The rise in use of SaaS adds complexity, as organizations need to also ensure information security. Poorly-managed SaaS applications can lead to legal, reputational, or security risks.
To mitigate risk, companies need to create proper security protocols, which leads to the need for InfoSec compliance standards, such as SOC 2. Significantly more attention is being allocated to SOC 2 compliance, with the growing tech-world and its cyber threats.
Achieving and maintaining SOC 2 compliance has been made more simple in recent years with the introduction of automation tools. SOC 2 automation tools allow organizations to achieve SOC 2 compliance without the associated daunting and tedious workloads. This is due to the tool’s effective audit management, automated evidence collection and continuous monitoring of an organization’s controls. Ultimately, compliance automation significantly reduces the SOC 2 project timeframe and ensures that it is an uncomplicated and organized process.
