During a SOC 2 examination, an independent third party service auditor like Schellman would assess your internal controls and business processes against your applicable and chosen SOC 2 trust services criteria before providing a report you can share with customers and other stakeholders to reassure them that their data is safe with you.
After you’ve worked to ensure your internal controls address the SOC 2 criteria for security (and other trust service criteria categories), an impartial third party will confirm the systems and processes you have in place to fulfill your service commitments.
Successfully passing a SOC 2 examination is objective evidence that you’ve taken steps to secure your customers’ data, which improves your credibility and brand reputation within your market.
The SOC 2 examination has become a very popular compliance initiative—not just because your controls are up to an industry-accepted standard, but because they also sync well with other frameworks and regulations, like ISO 27001 and HIPAA.
Useful for organizations that want to demonstrate their commitment to data security to stakeholders and customers, a SOC 2 Type 1 report evaluates how well-designed and implemented your controls and processes are at a specific point in time.
On the other hand, a SOC 2 Type 2 report is an evaluation over a period of time—typically six months or more. During the examination, your auditor will assess how well-designed and implemented your controls are, as well as whether they’re operating effectively in meeting your chosen trust services criteria categories.
The most important step in any SOC 2 examination, this stage will ensure your controls and evidence with the agreed-upon terms and expectations set by your customers, as you and your auditors will work together to determine timelines, scope, and deliverables, among other items necessary to proceed with the examination.
The kickoff is considered the start of the engagement. If needed, Schellman will schedule a call at the beginning of, or just prior to, the kickoff to finalize any outstanding items. Schellman will be available to the client with any questions.
By including communication prior to starting, Schellman ensures that no last-minute changes to the project or team have occurred and the Client has the plan prior to the testing and on-site visit.
After you’ve submitted the requested evidence, your auditors will perform process walkthroughs and interviews in combination with their evidence reviews and inspections—that includes any necessary follow-up conversations with evidence owners as well as cataloguing and documenting the test results.
Once testing is complete, you auditors will assemble a draft report containing the test results and other required process narratives and provide it to you for review. Once you approve the contents, it will be finalized for your distribution to customers and other stakeholders.
In this definitive guide to tailoring your SOC 2 examination, we’ve divided the decisions you’ll need to make into four sections that will progressively customize all the options you have into just the ones you need.
Read this and not only will you have a greater knowledge base on the particulars of SOC 2 internally, but you’ll be able to save time in sales calls, knowing exactly what you want from your auditor, and thereby get started quicker.
Chad Goubeaux is a Manager with Schellman based in Columbus, Ohio. Prior to joining Schellman in 2020, Chad worked for a Big 4 accounting firm specializing in financial statement audits. Chad has over 4 years of experience comprised of serving clients in various industries, including Healthcare and Building Materials. Chad is now focused primarily on SOC 1 and SOC 2 examinations for organizations across various industries.
Have a question? See a list of commonly asked questions below. If you still can't find an answer, contact us!
The cost of a SOC 2 audit can depend on a number of the size of the organization, the complexity of its systems and controls, and the type of auditor.
The timeline for your SOC 2 examination will depend on several factors—including the size and complexity of your business, the current state of your controls and processes, and the scope of the examination—but generally, the process can take several months to complete.
To ensure accuracy and consistency, it is recommended that businesses initiate a new engagement at the end of their last reporting period (for a Type 2 report). By maintaining an examination process that covers each fiscal year, you can demonstrate your commitment to compliance and ongoing testing of controls, which ultimately contributes to the overall health and success of their organization.