The question “How is a SOC 2 different for organizations outside the US?” has been asked of me numerous times. Enough, that I thought a quick article on the subject would be appropriate.
Let’s start off with some background on the SOC 2 audit or examination. The SOC 2 is a US standard, but it is also required for some international companies that have US-based customers. The American Institute of Certified Public Accountants (AICPA) is the governing entity of the SOC 2, and therefore, only CPAs and CPA firms are qualified to conduct SOC 2 attestation audits. A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
This statement holds true for every SOC 2 examination that I have performed in the US and internationally: Every service organization has to meet the same security criteria, and, except for rare situations, organizations will NOT have the same identical controls to achieve that. The reason for that is every organization is different and will have different controls. The organizations where controls are similar are usually start-ups where very few controls are in place prior to the SOC 2 audit, and the start-up is more or less looking to fulfill the criteria. The security criteria is the only SOC 2 principal that is mandatory for the audit. All other principles are optional and are usually chosen either by the user entities requiring the SOC 2 or based on the industry the SOC 2 audit is being done in. For example, a data center will often do security, availability, and confidentiality.
The preassessment or readiness assessment is also similar for international and US-based companies. This consulting engagement is done prior to the SOC 2 audit period starting. The service organization will work with the CPA firm to align current controls with the criteria in the principals chosen, as well as communicate to the organization any gaps that need filled. Additional details on SOC preassessments have been covered in a prior article. The assessment is typically done by the same firm that is doing the SOC 2 audit.
The largest issues with SOC 2 audit for international companies are likely the distance and possible language barrier. Both have been easily solved by technology implemented at McKonly and Asbury. If you are an international firm and have been asked for a SOC 2 report, they are as attainable as if you were in the US. Regardless of location, there is a lot of work to be done to achieve a clean audit based on the maturity of your organization’s controls. That is accomplished in the preassessment or readiness assessment engagement, but there are no additional steps for international companies.
If you have questions on a SOC 2, whether you are a US-based or an international organization, please contact David Hammarberg, leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices McKonly & Asbury, LLP would like to discuss your service organizations SOC 2.