SOC 2: What It Is and How to Use It Before Your Audit Even Begins

By Jonathan Krasner, Account Executive

Get the skinny on SOC2, including how you benefit from the guidelines and process.

Have you ever wondered why SOC 2 is administered by a group of accountants? Many people I talk to have no idea. When I explain that SOC2 is handled by the AICPA—the Association of International Certified Professional Accountants—they can’t help wondering why “bean counters” are even involved with cyber security.

But it makes more sense than you might think. CPAs excel at auditing—and the SOC 2 certification process is essentially an extended audit of your cyber security operations. Once the audit is complete, the CPA issues its “attestation report”—an official statement from your certified auditor that your systems and controls offer adequate cyber security protection.

That statement does not indicate a licensure or regulation, so “SOC2 compliance” is a misnomer. In fact, SOC2 attestation is a statement—verified by a CPA—that your cyber security meets the Trust Services Criteria and other guidelines that spell out requirements for implementing and maintaining security controls.

For that reason, failing to pass your audit does not stop you from doing business. Your next step would be mitigating your risk and undergoing the process again. Most companies choose to find and fix vulnerabilities before starting over. Their data is protected, and they can prove it to customers and investors—which is what they care about.

Put another way, it’s the documentation that matters rather than the credential.

The same thing holds true for ISO 27001, which is not a requirement for doing business, but like SOC2, assures clients and investors that a company’s cyber security plan meets industry standards for protecting data.

Weighing the Costs of SOC2 Attestation

Unlike companies facing financial audits—which typically have internal auditors to help—organizations facing SOC 2 audits often walk into the process without comprehending the time and money the process can take.

Some companies expect they can rely on their in-house IT teams to work the SOC2 process into their regular responsibilities. And some IT employees enter the process believing that’s possible. But this is not a spare-time project; it takes focus and expertise. So time is the most significant soft cost.

The hard costs are easier to define:

  • a governance, risk management, and compliance platform (a SaaS platform to track your policies and evidence)
  • an auditor’s services
  • additional systems needed to comply with certain TSC controls (It is best practice to understand what additional systems you may need in advance of undertaking a SOC2 certification.)

There is a hard-cost solution to the soft-cost concern of losing time or lacking expertise: A contractor adept at conducting the assessments and offering vCISO services to help you mitigate vulnerabilities before a CPA starts evaluating your systems and protocols.


How to Benefit from SOC2 Guidelines before Even Seeking Attestation

SOC2 attestation signals to clients and investors that your organization is implementing cybersecurity controls that meet or exceed the industry standard for cyber security. But you can benefit from preparing for your audit before it even begins.

Remember, SOC2 is not a license. It’s a statement that all is in order. With your internal assessments complete, vulnerabilities addressed, and documentation in hand, customers and investors can evaluate your program’s maturity and they may elect to move forward before SOC 2 is in place.

Which leads me to a final question: Why wait?

For a more in-depth account of compliance versus cyber security, including SOC 2, read the article.

Trava’s virtual chief information security officers (vCISOs) provide expert guidance to help you prioritize action steps and plan cybersecurity investments. We can also help you prepare for an audit, SOC2 readiness, and other risk mitigation services.


Get cybersecurity tips, articles, and videos sent straight to your inbox