SOC 1 vs SOC 2 | When Is The Right Time To Pursue SOC 2?

Employees discuss difference between SOC 1 VS SOC 2

Confusing SOC 1 and SOC 2 is easy. While both compliance frameworks attest to the controls used within your organization, the frameworks differ in focus. SOC 1 looks at your organization’s financial reporting, while SOC 2 focuses on how you secure and protect customer data. This blog post will focus on exploring the differences between SOC 1 and SOC 2.

Read more

How Long Does It Take To Complete a SOC Audit | A Timeline To Plan for SOC 2

Book describing how long does it take to get soc 2

You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your audit start date. The Purpose of SOC 2 Audits SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls are a series of standards designed to help measure how well a given service organization regulates its information, user entities, and sensitive data - particularly customer data. The purpose of SOC standards is to create a level of confidence and trust for organizations when they engage third-party vendors. A SOC-certified organization (hey, that will be you soon!) has been audited by an independent certified public accountant who worked with your organization on a readiness assessment and

Read more

How To Stay SOC 2 Compliant | Advice For This Year’s Audit

Title page of guide to stay SOC 2 compliant

It’s safe to say that not many service providers look forward to soc 2 compliance. I'd guess not many of you have the AICPA on speed dial. Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while. To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event.  Unlike taxes, there is no 'audit-season.' Here are some tips for always being prepared for your next audit. Embrace the idea that policies and procedures evolve After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have

Read more

What Is SOC 2 Type 2 | A Guide To Complete Your First Type 2 Audit

Cover Image For Guide To Complete SOC 2 Type 2

There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather than financial controls. The SOC 2 type 2 examines the effectiveness of those controls over a six-month period. There is also a SOC 3 report, which is essentially the same data found in a SOC 2 but written for public consumption. This blog will focus on outlining the path to SOC 2 Type 2. What Is A SOC 2 Report Although SOC 1 and SOC 2 differ in many ways, they were both created by

Read more

How To Speed Up A SOC 2 Report | A Guide To Narrow SOC 2 Scope

Woman seated at laptop sharing advice on how to speed up a SOC 2 report

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

SOC2 Team | Learn To Define Roles & Responsibilities

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

SOC 2 Type 1 Guide | Everything You Need To Know

Cover illustration for Guide explaining SOC 2 Type 1

If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2.  SOC 2 Type 1 is different from Type 2 in that a Type 1 report assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.  If that weren’t confusing enough, SOC 2 is different than SOC 1, which focuses on an organization’s financial statements and financial reporting. It’s also different than SOC 3, which reports on the same information as SOC 2, but in a format intended for a more general audience. This blog post will focus specifically on SOC 2 Type 1. You will also need to determine which report types best fit the needs of your company and customers.  For some background,

Read more

How Much Does SOC 2 Cost | A Guide Budgeting For SOC 2

Introduction to a guide that explains how much a SOC 2 compliance audit will cost

Below is a breakdown of every SOC 2 cost, including unexpected expenses and the time required from your staff. While we can’t tell you whether or not it’s right for your organization, we can tell you what you need to know - from both a cost and time perspective - if you decide to pursue it. Here is your SOC 2 compliance checklist. Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range. But the cost of the audit itself is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well. First, assign someone to own the SOC 2 process from start to finish. Expect this to become a full

Read more