Should I engage a CPA firm to perform a SOC 2 Type 1 audit before jumping straight into a SOC 2 Type 2 audit? When asking this question, consider the following:
- A CPA firm can start a Type 1 audit soon after all your policies, procedures and controls are implemented.
- Type 2 audits require controls to be audited over a period of time (typically a minimum of six months) and the audit period cannot start until all policies, procedures and controls are implemented. Your audit will not be completed until a few months after your audit period end date.
- Customers may specify in contracts that a Type 2 audit is required.
- Type 1 audits will provide your customers with less assurance over your controls, and customers may require you to undergo a Type 2 audit shortly after completing your Type 1, resulting in audit fatigue.
- Type 1 audits typically cost less since auditors perform less audit procedures during the audit.
- Type 1 audits serve as a barometer to help you gauge if you are truly ready for a Type 2 audit.
- There is a lesser chance of an auditor identifying exceptions during a Type 1 audit since the auditor only has to obtain comfort over the design of controls as of a specified date.So what happens when an auditor identifies control exceptions during a SOC 2 audit?
Hopefully, the first thing they do is communicate them to the client to confirm their understanding. They should ask clarifying questions and inquire to see if there are alternative means by which operating effectiveness can be demonstrated. They should do this well before the final report is issued (good auditors don’t like surprising their clients).
Once exceptions are confirmed, the auditor will determine the impact of the exceptions and whether the exceptions cause one or more criteria to not be met. If they determine criteria are not met, then the auditor will be issuing a qualified opinion (again, the auditor should communicate this early). The auditor then has to document the exceptions in the SOC 2 report as follows.
Regardless of the opinion rendered:
– Section 4 will be updated to call out the said controls as exceptions.
– Section 5 may be added to the report to document the client’s responses to exceptions to communicate how exceptions were/will be remediated.
If an unqualified opinion is rendered:
– No additional reporting requirements other than Section 4 updates.
If a qualified opinion is rendered:
– Section 1 will be modified to explain which criteria were qualified and why.
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
About SOC 2 Reports
With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.
