Many service organizations’ SOC2 Type II audit period ends are in the 4th quarter, closely matching, within a couple months, their organization’s fiscal year end. SOC2 Type II audits are becoming required by their user entities and viewed as a cost of doing business by many. A SOC2 Type II audit should cover what the majority of its user entities believe are the service organization’s service commitments and system requirements. It is important that the user entity relying on the report reads, understands, and compares what their expectations are of the service organizations service commitments and system requirements and what the service organizations report actually communicates. A user entity may need to do further inquiry if there is a gap in expectations.
Gaps in expectations can be caused by many factors. Some of those factors include:
- You’re a user entity that is outside the normal service commitments and system requirements that the audit opines on. The organization unintentionally left out what is important to your organization.
- The SOC2 provider of the service organization is unqualified. This may be due to lower-than-normal costs that affect the quality of the audit or because the service organization just wants it done, rubber stamped.
There is a multitude of legitimate and illegitimate reasons why an expectation gap occurs. As a user entity you need to understand it and do further inquiry.
Considering the quality of your SOC 2 Type II audit is a crucial aspect of understanding why your company pays the type of money they do for an audit. It should not be regarded as a “check the box” exercise companies perform in order to satisfy customers, but something they pride themselves on to document the rigorous security measures undertaken to ensure the data of customers is protected. This audit will only become more valuable in the future as we move toward a more technology based, and data driven business environment.
For smaller companies searching for their initial SOC report, there are a few key areas you can ask to assess when determining which provider would be best for you and your industry as a whole:
- Qualifications of the Auditor: Before even beginning to engage an auditor in a SOC 2 Type II audit, assess the qualifications of those who will be providing the final report. Do they have any certifications? It’s important to know those who are evaluating your company have the recognized certifications, such as CPA, CISA, and CISSP among others. The audit leader should be a seasoned professional the company can go to with complex issues and questions. Don’t be afraid to ask for references. If an audit firm is proud of their work, they won’t have any trouble providing you with several references to interview.
- Set-up for Success: The company should ensure that the auditors’ primary focus is to educate the company and evaluate the current control environment. The auditor should ensure you understand the requirements for receiving a SOC 2 Type II audit, provide guidance for any questions or issues that might arise, and ultimately assist you in determining the scope of the audit and ensuring that all criteria have been met in order to deliver a quality report which includes suitability of design and operating effectiveness of the company’s control environment.
- Substance of the Report: When performing a SOC 2 Type II audit, pay special attention to the actual quality of the report you receive from the provider. When you review your report there should be no spelling or grammatical errors. The overall flow and look of the report should be easy to read and find specific information you are looking for. The report should also include all necessary sections including the opinion, management’s assertion, description, control criteria, complementary user entity controls, and complementary subservice organization controls (if applicable), as well as testing of the design and operating effectiveness of controls.
The SOC 2 Type II report is a tool that companies can use in order to validate that they hold security of customer data to the highest standards. Companies must ensure they are receiving a quality report from an auditor that is competent in their own right and ensure the highest standards when preparing the company’s report. This will result in the company understanding the requirements and criteria that are necessary for receiving a report, where the auditor is willing to assist them with any questions that may arise along the way. Please keep in mind that just obtaining the SOC Report is not enough, but all businesses should evaluate the final product as something they take pride in, while also evaluating the process in which it came.
If you’d like to learn more about SOC reports or how to make sure you are receiving a quality report for your money, please reach out to David Hammarberg leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices. McKonly & Asbury can answer any questions and help you determine if a SOC 2 report would be useful for your company.
About the Author
Kevin joined McKonly & Asbury in 2022 and is currently a Supervisor with the firm. He is a member of the firm’s Audit & Assurance Segment, serving the manufacturing industry as well as the firm’s System and Organization Controls (SOC) practice.