SOC 2 Type 2 Audit for SaaS CompaniesGetting a SOC 2 Type II Report can be a game-changer for a SaaS Company. It can transform how you respond to RFQs and how you assure potential leads that your systems are secure. Most SaaS companies view the cost of a SOC 2 Certification / Examination as an investment in their future revenue. They plan meticulously to succeed in their SOC 2 audit and stay certified.

A SOC 2 audit is conducted by an authorized CPA firm or SOC 2 auditor that you select. During your SOC 2 audit, they assess the design and performance of your internal controls at a point in time or over a defined number of months. During the audit period they take a sample to test the end-to-end performance of these controls and report their findings. The results of the audit and the effectiveness of the controls are outlined in the SOC 2 audit report. This helps clients and business partners understand which Trust Services Criteria your systems adhere to. By staying SOC 2 certified, you can continue to assure stakeholders of the value of working with your company.

Preparing for your SOC 2 audit

SaaS companies begin preparing for their SOC 2 audit by implementing the internal controls that are important to their clients. They gather evidence and documentation and look for a SOC 2 auditor who understands their industry and customer requirements. One way to verify the authenticity of the CPA Firm / SOC 2 auditor is by checking the AICPA’s Public File Search.

As you prepare for your SOC 2 Type II audit or during the audit itself, you may face challenges with their SOC 2 auditor that can be avoided. One such confusion is with regards to the Trust Services Criteria.

Are you expected to follow all the Trust Services Criteria?

AICPA has outlined 5 Trust Services Criteria as part of the SOC 2 framework – Security, Availability, Confidentiality, Privacy and Processing Integrity. However, any organization that wants to get SOC 2 certified, is allowed to select the criteria they want and implement the respective internal controls. During the SOC 2 audit, your auditor is only expected to review the criteria that you have selected. They cannot ask you to comply with more criteria than the one(s) you have selected.

Typically, a SaaS company may choose to implement the follow Trust Services criteria:

  1. Security: This focuses on protecting information and all systems from unauthorized access.
  2. Availability: This focuses on the resiliency of the infrastructure, information and software.
  3. Confidentiality: This refers to the company’ ability to restrict access and ensure that data is disclosed only to authorized personnel or organizations.

They may also choose to implement certain controls under the remaining 2 criteria if their clients require it.

  1. Privacy: This addresses the organization’ ability to protect Personally Identifiable Information (PII) and ensure that it cannot be used to identify any individual. Privacy as a TSC, is primarily essential for Direct to Consumer engagement.
  2. Processing integrity: This verifies if the systems achieve their purpose – the delivery of complete and accurate data, within the correct timeframe and level of access.

What happens in a SOC 2 audit of a SaaS company?

A SOC 2 audit only begins when all the controls are in place and all aspects of information security are performing as designed. To check their level of preparedness, SaaS companies may opt for a SOC 2 Readiness Assessment. This can be a failsafe option since all the controls are tested and evidence is systematically organized and checked by a consultant. You get an opportunity to plug the gaps, complete your evidence collection and begin writing the ‘Management’ Assertion’. This section is submitted by the company to the SOC 2 auditor and included in your SOC 2 Report. During this time, you can also vet potential SOC 2 auditors and finalize the scope of your engagement.

Once you select your auditor, discuss your engagement and finalize your scope, the audit period begins on the date decided by the SOC 2 auditor. The first SOC 2 examination period is usually 3-6 months. The company cannot modify any process during the audit period. The start date of a SOC 2 audit is in the future, and it is shared with the CPA firm. Performance evaluated outside of the SOC 2 audit period cannot influence or be part of the SOC 2 report.

The audit period begins with the auditors collecting evidence for all the controls and for some controls with populations, selecting a random sample from a population of data, based on AICPA Guidelines and scientific sampling principles. During the SOC 2 audit, auditors observe security controls in action as they relate to the random sample. The company is expected to showcase evidence and confirm that all the controls have been designed and implemented per intent. If controls are implemented correctly and the company is SOC 2 ready, customer data is protected, and no violation is observed. The absence of activity during the audit is a sign of success since it implies that all aspects of data protection are in place. The testing of the controls starts immediately after the audit period ends. The sample’s test results are included in the SOC 2 report.

How is a SOC 2 Type II audit different for a SaaS Company?

Physical security controls may not be applicable for a SOC 2 certification / examination of a SaaS company because the tech infrastructure is hosted with a Cloud Service Provider. Since  SaaS companies outsource it to a 3rd party, they are responsible for it. As a result, an on-site audit may also be optional for a SaaS company.

Your SOC 2 audit might also include reviewing the SOC 2 reports of your vendors and partners. Your SOC 2 auditor might verify and validate CUECs of your vendors as well.

How regularly are you required to perform a SOC 2 audit?

A SOC 2 report is valid for 12 months. SOC 2 audits are conducted every 12 -18 months to help you stay certified. You reserve the right to change your SOC 2 auditor after every engagement and modify the Trust Services Criteria during each SOC 2 audit. In our experience as SOC 2 Readiness Assessment consultants, we have observed that SaaS companies usually add additional controls and criteria while continuing to implement previous controls. They also tend to improve in the way they structure and gather evidence to reduce the amount of time and effort during each SOC 2 audit.

What is the cost of a SOC 2 Certification / Examination?

The cost of a SOC 2 certification can be divided into 2 sections:

Cost of SOC 2 Readiness Assessment: Consultants who specialize in preparing firms for SOC 2 can help you  design /implement new controls, draft and implement policies and procedures, provide customized staff training, review your evidence documents and help you draft the ‘Management’ Assertion’. They can also help you streamline the Complementary User Entity Controls (CUECs) that your customers will need to have in place to use your services properly. Some examples of CUECs are password complexities, time out parameters and MFA.  These have to be set up by the customer, not necessarily the SaaS company. The client and SaaS company have shared a responsibility to ensure security. The SaaS company is responsible for defining CUECs clearly and your customer is responsible for implementing them.

Working with a SOC 2 readiness partner who has previous experience in your industry can also help you streamline the Trust Services Criteria that will be important to your clients. This will help you plug any gaps and not only help you prepare for your SOC 2 audit but also for the RFQs where you will include your SOC 2 Report. A typical SOC 2 engagement for readiness could cost anywhere from USD 10,000 – 50,000.

Cost of SOC 2 Certification / Examination: A SOC 2 examination by a CPA firm could cost anywhere from USD 15,000 – 30,000 depending on the trust services criteria you select. However, the price should not be the predominant factor that influences your decision. A SOC 2 auditor who understands your industry will be able to clearly mention the Complementary User Entity Controls (CUECs) in the SOC 2 Report. These controls are intended for your customer – the actual consumer of the SOC 2 report. They inform your customer about the controls they need to implement in their systems to properly use your services. You also need to read the fine print that is part of the engagement contract and ensure that you are not legally obligated to work with the same SOC 2 auditor or authorized CPA firm for the next few years.

The ideal SOC 2 auditor is the one who respects your selection of the Trust Services Criteria, understands what your customer’s need to know and ensures that your scope is clearly mapped before the engagement begins. You can review some recommendations to help you avoid challenges you may face with a SOC 2 auditor.

 How databrackets can support your SOC 2 Journey ?

Experts at databrackets have extensive experience in supporting organizations that align their processes with AICPA’s Trust Services Criteria and prepare for a SOC 2 Audit. If you would like to connect with an expert to better understand SOC 2 and plan your SOC 2 journey, do not hesitate to schedule a consultation.

 Related Links:

Last Updated on January 19, 2023 By Aditi SalhotraIn SOC 2