In the latest episode of Cherry Bekaert’s Risk & Accounting Advisory podcast series, Neal Beggan, is joined by Steven Ursillo and Dan Sembler, both partners in our Information Assurance & Cybersecurity practice. During this episode, they discuss the many benefits of Service Organization Control (SOC) 2 reports, such as security insights, gaining customer trust and risk management, and how those benefits bring value to a company. Listeners will also discover how to prepare for SOC 2 and what to expect during a SOC 2 report, as well as the different types of SOC 2 reports.
Tune in to learn more about:
- The value of SOC 2 and potential benefits
- How a SOC 2 report differs from a SOC 1 examination
- The components of a SOC 2 report and how to prepare
Related Insights
- A Comprehensive Guide to SOC 2 Reporting: Webinar Recording
- The Impact of a SOC 2 Report on Your Organization Value and Customer Relations
- A Guide to Understanding Service Organization Control (SOC) Reports
View All Risk & Cybersecurity Podcasts
HOST: NEAL BEGGAN: Hello and welcome to the Risk and Accounting Advisory Podcast. My name is NEAL BEGGAN, partner in the Risk Advisory Practice here at Cherry Bekaert.
HOST: NEAL BEGGAN: On today's podcast, I'm joined by Steven Ursillo and DAN SEMBLER, both partners and leaders in Cherry Bekaert's Information Assurance and Cybersecurity Practice. Today we will discuss SOC 2 reports, the value they provide to organizations and customers, and how to get started if you haven't already.
HOST: NEAL BEGGAN: Both Steven and Dan have spent years performing these examinations and helping clients meet their compliance needs while also driving value and guiding clients through an efficient audit process. Gentlemen, thanks for joining me.
STEVEN URSILLO: Thanks, Neil.
DAN SEMBLER: Thank you.
HOST: NEAL BEGGAN: Let's jump right in. Steven, I'm going to start with you. Please explain the specifics of a SOC 2 report and the differences between a SOC 1 examination and a SOC 2 audit.
STEVEN URSILLO: SOC 1 and SOC 2 reports are both attestation reports developed by the AICPA to assess controls at service organizations. They are attest engagements, which means they represent the highest level of assurance a CPA firm can provide.
STEVEN URSILLO: SOC 1 focuses on financial reporting. It's used to assess the impact of a service organization's controls on the financial statements of its customers or user entities and is driven by financial statement assertions.
STEVEN URSILLO: SOC 2 focuses on operations and compliance. It covers controls related to security, availability, processing integrity, confidentiality, and privacy—the five trust service categories. SOC 2 provides depth and transparency on controls needed to meet service-level commitments, typically around security or privacy.
STEVEN URSILLO: A SOC 1 is often applicable to user entities such as customers of payroll processors who are concerned about the materiality and accuracy of transactions affecting their financial statements. SOC 2 is commonly used for diligence and vendor risk management, allowing organizations to demonstrate maturity regarding their service-level commitments.
STEVEN URSILLO: SOC 2 also offers flexibility through SOC 2+. Organizations can map requirements from other frameworks—HIPAA for healthcare or NIST SP 800-171 for government contracting, which aligns with CMMC level 2 base criteria—into their SOC 2. This provides additional transparency for regulators, business partners, customers, and stakeholders.
STEVEN URSILLO: Both SOC 1 and SOC 2 offer Type 1 and Type 2 engagements. A Type 1 covers the accuracy of the system description and the design of controls at a point in time. A Type 2 includes the Type 1 elements plus operating effectiveness over a period of time.
STEVEN URSILLO: In summary: SOC 1 addresses financial reporting; SOC 2 addresses operations and compliance.
HOST: NEAL BEGGAN: That makes complete sense. You mentioned some of this already, but how does performing a SOC 2 benefit an organization and add value?
STEVEN URSILLO: SOC 2 provides insight and transparency on a particular system, including the system boundaries. It allows organizations to report on their internal control structure. A SOC 2 is a report on internal controls aligned with criteria and helps demonstrate governance, risk, and compliance measures, often mapped to COSO.
STEVEN URSILLO: The report shows which systems are involved, how they are executed, who is responsible, and the key controls that support service commitments. Typical expectations include multi-factor authentication, change management, and incident response.
STEVEN URSILLO: SOC 2 also clarifies how an organization interoperates with third parties, or subservice organizations, such as cloud providers or MSSPs. It shows which boundaries are included or carved out and where control responsibilities lie.
STEVEN URSILLO: For user entities, SOC 2 clarifies what they need to do to fulfill their agreements and helps maintain security when working with a provider. It builds trust with customers, business partners, prospects, regulators, and stakeholders by demonstrating the ability to meet controls and achieve operating effectiveness.
STEVEN URSILLO: SOC 2 is a useful tool for third-party risk management and can provide a competitive advantage when comparing providers.
HOST: NEAL BEGGAN: Dan, how would a company prepare for a SOC 2 audit?
DAN SEMBLER: First, understand that SOC reports must be issued by CPAs or CPA firms, but the subject matter is typically focused on IT controls, security, privacy, compliance, and operations. Look for an audit team with a broader range of talent, not just CPAs.
DAN SEMBLER: Teams should include Certified Information Systems Auditors (CISA) and Certified Information Systems Security Professionals (CISSP), plus other technical certifications such as cloud certifications. That expertise leads to a better report and higher value.
DAN SEMBLER: There is a readiness or gap assessment to identify the key components of the report. Decide whether you need a Type 1 or Type 2 report based on the expectations of regulators, business partners, or clients. Type 1 covers completeness and accuracy of the system description and control design at a point in time, while Type 2 extends to operating effectiveness over a period.
DAN SEMBLER: There is also an option for a SOC 3, which is a further extension of SOC 2 intended for broader public distribution. SOC 3 is higher level and less detailed than SOC 2, which provides in-depth insight into policies, procedures, people, processes, and technology.
HOST: NEAL BEGGAN: That makes sense. Let's discuss the components of a SOC 2 report. What are the required sections and the optional section?
DAN SEMBLER: SOC 2 is relatively standardized. The first required section is the independent auditor's report. It summarizes the scope of the engagement, references subservice organizations and user entities if relevant, and outlines auditor and management responsibilities. The opinion covers completeness and accuracy of the system description, design and implementation of controls, and operating effectiveness for Type 2 reports.
DAN SEMBLER: The second required element is management's assertion. This reconfirms the scope and states that controls and disclosure are management's responsibility, asserting that controls have operated effectively over the period for a Type 2.
DAN SEMBLER: The third required element is management's description of the system. This varies in length and must meet nine disclosure criteria covering scope, infrastructure hosting, whether the report covers an application, system, platform, or all combined, and boundaries. It also includes tactical details such as identified security incidents and their impact on service commitments, and the people, processes, and technology that underlie protections.
DAN SEMBLER: Auditors are required to reconcile the system description with the controls tested to ensure assertions map to procedures performed. For example, if the system description asserts encryption in transit using TLS 1.2, the auditor will test controls to validate that protocol is in place.
DAN SEMBLER: Section 4 contains the explicit mapping of criteria, the controls, and a summary of procedures performed and conclusions. Section 5 is an optional, unaudited section where management can respond to exceptions or provide additional information, such as mappings to other control frameworks or business continuity details.
HOST: NEAL BEGGAN: Thanks for that overview. In terms of the report process, what does it look like from start to finish?
DAN SEMBLER: Typically you start with a readiness or gap assessment, where Cherry Bekaert can help identify applicable service commitments and underlying controls mapped to the trust services criteria. The readiness process ensures appropriate control coverage for selected service commitments and criteria.
DAN SEMBLER: We can help draft or mock up the system description. Management is ultimately responsible for the system description, but auditors can assist to ensure disclosure criteria are achieved and the description reconciles to controls in Section 4.
DAN SEMBLER: After readiness, you decide to pursue a SOC 2 Type 1 as of a specific point in time or to go straight to Type 2 to cover a period and operating effectiveness.
HOST: NEAL BEGGAN: Is a Type 1 required before a Type 2?
DAN SEMBLER: No. A Type 1 is optional. You can go from a readiness assessment directly to a Type 2. That said, we heavily recommend a readiness assessment before an audit opinion.
HOST: NEAL BEGGAN: Steve, any final thoughts for listeners preparing for a SOC 2 or already in readiness?
STEVEN URSILLO: Start with the big picture. Outsourcing IT systems and infrastructure to service providers blurs boundaries and increases the complexity of third-party interactions. Vendor management is critical because you must manage how your systems interoperate with others.
STEVEN URSILLO: Identify key stakeholders responsible for cybersecurity and privacy risk management, including IT, legal, compliance, senior management, and middle management. Gain executive buy-in because there are costs and organizational effort involved.
STEVEN URSILLO: Engage compliance experts who understand complex environments and industry-specific regulatory expectations. Identify the assets and data classifications you are protecting, and know where data is stored, processed, and transmitted.
STEVEN URSILLO: Conduct risk assessments to identify inherent and residual risk related to service commitments. Define controls, implement them, monitor and test, and establish incident response plans. Consider mapping controls to frameworks such as ISO 27001, the NIST Cybersecurity Framework, or CIS Controls where appropriate.
STEVEN URSILLO: Ensure consistency through training and awareness so personnel execute prescribed runbooks and respond appropriately in incidents. Maintain a continuous improvement process after audits to improve efficiency and value.
STEVEN URSILLO: Finally, report results to leadership and key stakeholders, including boards and audit committees, so they understand business risk and the strategic implications of the program.
HOST: NEAL BEGGAN: Thank you, Steve and Dan, for sharing your knowledge on SOC 2 audits and the process.
HOST: NEAL BEGGAN: For on-demand recordings of our recent SOC 2 webinar, please visit cbh.com/guidance, where we unpack the specifics of the SOC report, the benefits, and how to prepare for an examination.
HOST: NEAL BEGGAN: For more information on SOC reporting, information security, and cyber risk mitigation strategies, please visit cbh.com/cyber.
HOST: NEAL BEGGAN: Please like, share, and subscribe to the Risk and Accounting Advisory Podcast.
