SOC 2 Audit

How do you validate the security of your organization’s services? A SOC 2 audit evaluates controls that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. The result? A SOC 2 report validating the organization’s commitment to delivering high quality, secure services to clients.

SOC 2 audits are one of our specialties and we deliver SOC 2 reports to the customers. Information Security Auditors are senior-level experts, holding certifications like CISSP, CISA, and CRISC, to help you maintain SOC 2 compliance.

Our audit delivery tool streamlines the audit process, helps reduce the complexity of compliance efforts, and gives our clients the ability to combine multiple audit frameworks into one audit. Connect with us today to learn about the time it takes to complete a SOC 2 audit and understand the cost of receiving a SOC 2 report.

How much does a SOC 2 audit cost?

Pricing for a SOC 2 audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, audit frequency, and the Trust Services Criteria to be included in the audit. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

What is the SOC 2 audit process?

The SOC 2 audit typically consists of the following:

  • - Gap analysis
  • - Scoping exercises
  • - Onsite visit
  • - Evidence gathering period
  • - A SOC 2 report

The SOC 2 audit process must be facilitated by licensed CPA firms.

How long does a SOC 2 audit take to complete?

The average SOC 2 audit, using AASC’s process, is completed in 12 weeks. The engagement begins with scoping procedures, then moves into an onsite visit, evidence review, report writing, and concludes with the delivery of a SOC 2 report. This timeline is extended when a gap analysis must be performed or when remediation takes longer than expected.

Who can perform a SOC 2 audit?

A SOC 2 audit can only be performed by an auditor at a licensed CPA firm, specifically one that specializes in information security.  SOC 2 audits are regulated by the AICPA. 

What do I receive when my SOC 2 audit is complete?

A SOC 2 audit culminates in a SOC 2 report. The components and formatting of SOC 2 reports delivered by AASC are based on guidelines provided by the AICPA and written by our in-house Professional Writing team. SOC 2 reports provide a service organization’s clients with documentation outlining their system and controls, demonstrating how client information is maintained in a secure manner, and aides clients in performing their evaluation of the effectiveness of controls that may require their administration.

How long is a SOC 2 report valid?

The opinion stated in a SOC 2 report is valid for twelve months following the date the SOC 2 report was issued.

How often does a SOC 2 audit need to be performed?

Industry standard is to schedule a SOC 2 audit (Type I or Type II) to be performed annually or when significant changes are made that will affect the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust in the service organization’s systems.

Who is involved in a SOC 2 audit?

In every SOC 2 engagement, our Information Security Auditors are required by the AICPA to maintain communication with management and those charged with governance from the service organization. Other team members involved in the audit could come from anywhere in your organization, ranging from human resources to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

SOC 3 report is meant to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. Public distribution of these reports is not restricted.