SOC 2 AuditAn audit tests your security program against specific Trust Services Principles and Criteria
FRSecure performs a full array of information security assessments and audits including FISMA, ISO Certification, NERC/FERC, FDA, SEC, FINRA, SOX, and more. If you’re looking for an assessment, we’ve likely done it before, and are happy to discuss your needs with you. Call us today.
What is an SOC 2 Audit?
An SSAE 16 SOC 2 audit is an audit of your security program against a set of trust services principles. The trust services principles are sets of specific criteria that you need to meet in order to successfully complete a SOC 2 audit. You can choose one or more of the TSP’s to audit against (there are five total: Security, Availability, Processing Integrity, Confidentiality, Privacy).
Further, there are 2 types of SSAE16 SOC 2 audits: Type 1 and Type 2
- SOC 2 Type 1 is a snapshot in time. It basically audits whether or not you have the controls from the selected TSPs in place.
- SOC 2 Type 2 is a measurement over time. It essentially determines whether or not you comply with the selected TSP controls over a period of 6 months.
Why would I want one?
SSAE16 audits replaced the SAS70 audit. So if you used to get SAS70 audits you may choose to continue on with a SOC 2. SOC 2 is a recognized security audit, but we would want to discuss with you whether it’s the right decision for you or not. A SOC 2 is different than a full information security assessment, but there are valid reasons to pursue one:
- Your competitors are getting SOC 2 audits
- You want one for marketing purposes
- A valued customer is requiring one
What is the process for completing the audit?
On a high-level, the SSAE16 SOC 2 process is comprised of the following steps:
- Define Attestation Engagement Scope – Determination of which Trust Services Principles and Criteria will be attested against. Description of the “system” to be attested against.
- Planning and Coordination – Planning timelines, resource constraints, and activities.
- Information Gathering – Identify existing or required controls through discussions with management, and review of available documentation.
- Perform Readiness Review – Identify gaps requiring management attention
- Prepare and Present Gap Assessment Reports – Communicate prioritized recommendations to address any identified gaps
- Remediation Plan Creation – Hold working sessions to discuss alternatives, and remediation plans.
- Remediate documentation gaps
- Prepare SSAE16 SOC 2, Type 1 Attestation validation packet
- Complete the SSAE16 SOC 2, Type 1 Attestation
- Preparation for the SSAE16 SOC 2, Type 2 attestation engagement
- Complete the SSAE16 SOC 2, Type 2 Attestation period
- Complete the SSAE16 SOC 2, Type 2 Attestation
What are the deliverables I should expect?
Deliverables for an SSAE16 SOC 2 are:
- SOC 2 Pre-Audit Assessment Executive Summary
- SOC 2 Pre-Audit Assessment Final Report
- SOC 2 Pre-Audit Action Plan
- Documentation Required Prior to SOC 2 Type 1 Attestation
- SOC 2 Type I Validation Packet
- SOC 2 Type I Attestation Report
- SOC 2 Type I Certificate of Achievement
- SOC 2 Type 2 Attestation Report
- SOC 2 Type 2 Certificate of Achievement
What does an SOC 2 audit cost?
There are multiple components to an SSAE16 SOC 2 audit. Because of this, FRSecure strives to determine the best possible approach for our clients to ensure successful completion of the audit in a cost effective way. All you need to do is spend a few minutes on the phone with our team to make sure we are delivering exactly what you need and want.