SOC (System and Organization Controls – formerly Service Organization Controls) audits are an independent assessment of the risks associated with using service organisations and other third parties.

They are essential to regulatory oversight, vendor management programmes, internal governance and risk management.

There are three levels of SOC audit for service organisations:

• SOC 1 audits relate to organisations’ ICFR (internal control over financial reporting). They are conducted against the assurance standards ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) 18.
• SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), in accordance with SSAE 18. A SOC 2 report is generally used for existing or prospective clients.

In the UK, SOC 2 audits can also be carried out against ISAE 3000. You can learn more about using the ISAEs for SOC 2 examinations in the AICPA document SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

• SOC 3 audits are like SOC 2 audits, but their reports are much more concise and designed for a general audience.

SOC 1 and SOC 2 audits are divided into two types:

• Type 1 – an audit carried out on a specified date.
• Type 2 – an audit carried out over a specified period, usually a minimum of six months.

SOC 3 audits are always Type 2.

The AICPA has also developed SOC for cybersecurity and SOC for Supply Chain.

A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s TSC, in accordance with SSAE 18.

It includes:

1. An opinion letter.
2. Management assertion.
3. A detailed description of the system or service.
4. Details of the selected trust services categories.
5. Tests of controls and the results of testing.
6. Optional additional information, such as technical information or plans for new systems, details about business continuity planning, or the clarification of contextual issues.

It also specifies whether the service organisation complies with the TSC.

What are the AICPA TSC?

The TSC are industry-recognised, third-party control criteria for auditing service organisations. They are divided into 5 trust services categories – security, availability, processing integrity, confidentiality and privacy.

Criteria common to these 5 categories are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.

The common criteria cover:

1. The control environment
2. Communication and information
3. Risk assessment
4. Monitoring of controls
5. Control activities related to the design and implementation of controls

In addition to these 17 common criteria, there are supplemental criteria for four of the five trust services categories. (The security category has no supplemental criteria of its own.) These supplemental criteria can also apply to any or all of the other categories. For instance, criteria related to logical access can apply to all five categories.

The supplemental criteria cover:

• Logical and physical access controls
• System operations
• Change management
• Risk mitigation

Service organisations must select which of the five trust services categories they must cover to mitigate the key risks to the service or system that they provide:

Full criteria here

Security: “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”

This is the only mandatory trust services category.

Availability: “Information and systems are available for operation and use to meet the entity’s objectives.”

Processing integrity : “System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”

Confidentiality : “Information designated as confidential is protected to meet the entity’s objectives.”

Privacy : “Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.”

SOC 2 audits are aimed at organisations that provide services and systems to client organisations (for example, Cloud service providers, software providers and developers, web marketing companies and financial services organisations).

A client company might ask the service organisation to provide an assurance audit report, particularly if confidential or private data is entrusted to the service organisation.

If your organisation provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organisations to partner with or provide services to tier one companies in the supply chain.

In the US, a SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organisation.

SOC auditors are regulated by, and must adhere to specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.

CPA organisations may employ non-CPA professionals with relevant IT and security skills to prepare for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organisation to use the AICPA logo on its website.

In the UK, SOC audits can be conducted by a qualified member of the ICAEW (Institute of Chartered Accountants in England and Wales) or an equivalent organisation.

Certification to ISO 27001, the international standard for information security management, shows that an organisation has implemented an ISMS (information security management system) that conforms to information security best practice.

Whereas an ISO 27001 certification audit assesses an organisation’s information security controls at a given time, a SOC 2 Type 2 audit is more comprehensive, covering several months, and results in a formal attestation rather than a certificate.

It might therefore be argued that a SOC 2 Type 2 report provides greater – and more specific – assurance than ISO 27001 certification.

However, a SOC 2 audit report is the opinion of the auditor – there is no compliance framework or certification scheme. With ISO 27001 certification, an accredited certification body confirms that the organisation has implemented an ISMS that conforms to the Standard’s best practice.

Just as there are benefits to both ISO 27001 and SOC 2, there is sufficient overlap between SOC 2 and ISO 27001 to justify addressing them simultaneously and incorporating your SOC 2 compliance into your ISO 27001-compliant ISMS.

For instance, you can structure your risk assessment and risk treatment plan to account for the five SOC 2 and SOC 3 trust services categories (security, availability, processing integrity, confidentiality and privacy).

This consultancy service has been designed to help you prepare for and pass a SOC 2 audit. It evaluates your organisation’s audit-readiness by assessing the suitability of the TSC risk-mitigating controls to the service(s) you offer.

The SOC 2 Readiness Assessment results in a detailed report that identifies any areas in which your controls fall short of the required standard.

This service includes advice on defining a suitable audit scope, guidance in compiling the content of the service or system description, and assistance in identifying which of the TSC are relevant to your organisation’s key risks.

Learn more about this service

The SOC 2 Remediation Service can help you rectify any compliance gaps identified by our SOC 2 Readiness Assessment. Remediation consultancy is specific to each organisation but typically could include the following:

• Development of policies/procedures and modification of existing policies/procedures;
• Conducting a risk assessment;
• Selecting appropriate controls; and
• Testing to ensure that new controls have been implemented and are operating effectively.

Learn more about this service

Although SOC 2 reports do not technically expire, they are generally considered valid for 12 months.

Once you’ve passed your SOC 2 audit, you’ll therefore want to maintain your compliance with your selected TSC to ensure your recertification audit goes as smoothly as possible – after all, no one wants to start again from scratch the following year, especially if they also have to add extra security controls to meet the requirements of new clients.

Our extensive expertise helping organisations implement and maintain information security best practices means we can support you as you embed the controls you need to operate securely.

Learn more about this service

GRC Solutions specialises in providing IT governance, risk management and compliance solutions and consultancy services, focusing on information security and ISO 27001, cyber security, data privacy and business continuity.

In an increasingly punitive and privacy-focused business environment, we are committed to helping organisations protect themselves and their customers from cyber threats.

Our deep industry expertise and pragmatic approach help our clients improve their defences and make critical strategic decisions that benefit the entire organisation.

GRC Solutions is duly recognised under the following frameworks:

• CREST certified as ethical security testers.
• Certified to Cyber Essentials and Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
• Certified to ISO 27001.

Read more about our credentials

What is a SOC 2 audit?
A SOC 2 audit is an independent assessment that evaluates how well an organisation protects customer data against the five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy.

What is a SOC 2 Type 1 audit?
A SOC 2 Type 1 audit reviews the design of an organisation’s controls at a single point in time, confirming whether they are suitably designed to meet the Trust Services Criteria.

What is a SOC 2 Type 2 audit?
A SOC 2 Type 2 audit goes further, testing the operating effectiveness of controls over a defined period (usually 6–12 months). It provides stronger assurance than Type 1.

How long does a SOC 2 audit take?
The timeline depends on the type and scope. A Type 1 audit can be completed in weeks, while a Type 2 audit requires continuous monitoring and usually takes 6–12 months to gather enough evidence.

How much does a SOC 2 audit cost?
Costs vary based on company size, systems and scope. Small businesses may pay tens of thousands of pounds, while larger organisations often spend significantly more. Preparation costs, such as consultancy and tooling, should also be factored in.

How often are SOC 2 audits done?
Most organisations complete a SOC 2 audit annually to provide continuous assurance to customers and regulators.

What does a SOC 2 audit include?
A SOC 2 audit includes an independent review of policies, procedures, systems and controls that safeguard customer data. Evidence collection and staff interviews are common parts of the process.

How do you prepare for a SOC 2 audit?
Preparation involves scoping the systems in scope, conducting a readiness assessment, implementing required controls, gathering evidence and addressing any gaps before the audit begins.

What is the difference between SOC 1 and SOC 2 audits?
SOC 1 focuses on financial reporting controls, while SOC 2 focuses on data security and the Trust Services Criteria. Many technology and SaaS companies are asked specifically for SOC 2 reports.