SOC 2 Type 2 Report: Understanding What You Need

If your business is in the process of moving upmarket to target public companies, you will likely be asked to share a SOC 2 report during the due diligence phase. SOC 2 reports measure your company’s information security infrastructure against the American Institute of Certified Public Accountants (AICPA) standards, demonstrating to clients and vendors that your business can be trusted with their data. 

In many instances, a new client may ask your business for a SOC 2 Type 2 report with all five criteria. Your team might agree to this term and sign the contract, only to realize later that securing this type of report is a significant undertaking that your business is completely unprepared for. Alternatively, your business may be continuing to lose out on enterprise contracts because it lacks a SOC 2 report. 

Regardless of the circumstances, it’s unlikely you need a SOC 2 Type 2 report with all five criteria. In this article, we share an overview of what your clients actually want to see and outline the path toward fulfilling those expectations. 

What Type of SOC Report Do You Need?

A SOC 2 Type 2 report with all five criteria is the most rigorous SOC report, but unless you’re working with one of the largest public companies, it’s extremely unlikely your business needs such an in-depth report.

The AICPA standards use five criteria to evaluate an organization’s security controls: security, availability, processing integrity, confidentiality, and privacy. Typically, however, a SOC 2 Type 2 report with three criteria––security, availability, and confidentiality––will fulfill customer requirements, even if at first the customer asks for a SOC report with all five criteria. 

In many cases, a SOC 2 Type 1 report provides your customers with the assurance they need to begin working with you as you work toward obtaining a Type 2 report. 

Often, customers don’t understand what they’re requesting when they ask for a SOC 2 Type 2 report with all five criteria. It’s not a feasible request: your business won’t be able to fulfill it, and neither will your competitors. 

Instead, in the vast majority of cases, your customers simply want to see a concrete plan toward obtaining a SOC 2 Type 2 report. Depending on your business’s current level of information security maturity, that’s a process that can take as long as two years. 

Here’s what the process typically looks like:

• Readiness Assessment: these informal assessments help you understand whether your business is ready for a SOC 2 Type 1 report and identify areas you must strengthen before undergoing a SOC audit. 

• SOC 2 Type 1 report: a formal audit that assesses your business’s information security controls at a single point in time. 

• SOC 2 Type 2 report: a formal audit that tests the effectiveness of your business’s information security controls over a period of time, typically six to twelve months. 

The speed with which your business can complete this process and receive a SOC 2 Type 2 report is driven by various factors – most notably your business’s level of readiness. 

Establishing Your Business’s SOC 2 Readiness

To determine how soon your business will be ready for a SOC 2 Type 1 audit, it’s necessary to consider a variety of readiness indicators, including:

• Whether anyone on your team has gone through a SOC report previously and understands the process
• Whether your business is already compliant with other information security frameworks, such as NIST, ISO 27001, or PCI-DSS
• The maturity of existing security policies and human resources procedures

Often, the best way to determine your business’s current readiness level is through a series of conversations with a firm that specializes in SOC work, such as Smith + Howard. Such a specialized team can help you understand where you are in your SOC journey and provide a realistic expectation of when you can expect to meet your goals. 

Following this, the typical first step is a SOC Readiness Assessment. This assessment provides an overview of your business’s existing compliance environment, analyzing your business’s policies, existing controls, security activities, documentation, and risk management frameworks. Post assessment, the SOC team provides guidance on the steps your business should take to bolster its policies and processes.

Only when your business has completed these remediations and has completed the advised steps should it schedule a SOC 2 Type 1 audit. 

How Soon Can You Get a SOC 2 Report?

The time it takes a business to obtain a SOC 2 report is driven by various factors, including its current level of maturity and its motivation to complete the process. Typically, it takes anywhere from 6 to 24 months for a business to receive a SOC 2 Type 1 report. 

The majority of companies that seek a SOC 2 report lack the readiness to successfully undergo a formal audit. They may have to create or update internal information security policies. Events such as a formal risk assessment, penetration test, vulnerability scanning, and security awareness training should be completed. Tabletop exercises of your business continuity, disaster recovery, and security incident plans should also be completed before an audit. 

Our team is more than happy to provide clients guidance and advice throughout this process, but businesses must complete these activities independently. 

The process often occurs quicker when there is appropriate support within your company for the SOC reporting process. Ideally, a high-ranking executive with plenty of influence across your business, such as a Chief Technical Officer (CTO), Chief Information Security Officer (CISO), or a Chief Information Officer (CIO), should lead this process. 

The Value of Proactively Obtaining a SOC Report

It’s advisable for businesses to begin the process of obtaining a SOC report before they’re required to share it with customers. Ideally, businesses should start this process two years or so before they believe they will be required to share a SOC report with customers.

Obtaining a SOC 2 report opens doors to an entirely new customer base: large, enterprise companies. It’s a lucrative market that many startups aim to enter one day. Laying the groundwork for this expansion with a SOC report removes future barriers to growth, enhancing the long-term prospects of your business. 

Smith + Howard: Experienced SOC 2 Assurance Professionals

Obtaining a SOC 2 report is an important step for all growing businesses, serving as a sign of organizational maturity that opens up access to large enterprise clients. It’s an important process that cannot be rushed, and one that requires support from SOC reporting professionals. 

At Smith + Howard, our SOC 2 professionals work with a wide variety of clients. Our team combines a wealth of SOC report experience with the resources of a full-service CPA firm. We pair personal, responsive service with a sophisticated technical approach that provides clients with in-depth insights into their information security maturity.

To kick off your SOC2 journey, contact an advisor today to set up an initial conversation with our team.