If you’ve decided to try for compliance, you might already know that, given how much this space has evolved in just the last 20 years, there are a lot of ways to do that.

The great philosopher Plato said, “a good decision is based on knowledge and not on numbers.” With all due respect to Plato, he did not have to pay for compliance assessments in ancient Greece. But of course, he’s not all wrong—not even when it comes to compliance—you do need knowledge to proceed towards your end goal of a completed report and successful audit. If you’re someone who is considering a SOC 2 audit, be it due to customer request or just because, you may already understand that this examination will evaluate your product or service on a more operational and security-oriented level.

Imagine this, it's a late Wednesday afternoon and you are wrapping up your previous SOC engagement while simultaneously working on your current engagement. A check of your upcoming schedule reveals that next week, yet another SOC engagement for a client in your area looms. Juggling multiple engagements can be tricky, but must less so if there’s a tried and true process that’s become routine. Here are five easy steps to help an auditor prepare for a SOC engagement.

As you likely know, there are different System and Organization Controls (SOC) report options, such as SOC 1 and SOC 2/SOC 3. What may be lesser known is that within those SOC report options, there are also different types, referred to as Type 1 and Type 2. In other words, the specific use of “Type” as a distinguisher are different specified options for both the SOC 1 and SOC 2 reports.

Why would a financial services company need a SOC 1?

The short answer is...yes. Now for the long answer - a SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement.

What is the SOC 2? At a high level a SOC 2 examination is a report on internal controls of a service organization related to the Trust Service Principles and Criteria (TSPs), which include: security, availability, processing integrity, confidentiality and/or privacy. Reporting on these TSPs can provide assurance around the adequacy of your services’ security control environment.

NOTE: Schellman has since updated and expanded this information in an article found here.