Thoropass University / SOC 2 for Startups What is a SOC 2 audit? Listen to audio A SOC 2 audit is an examination of a service organization’s compliance with SOC 2, according to the Trust Service Criteria defined by the AICPA. A SOC 2 Type 1 report covers: Management’s description of the system Control objectives design Because a Type 1 report is framed around a specific date, it does not show tests of controls or the results of tests. Generally, the CPA that executes the audit will issue an opinion, which addresses the suitability of control architecture. Type 2 audit During a Type 2 audit, the auditors will look over the description of controls to better understand how to test and judge the effectiveness. In a SOC 2 Type 2 report, the auditor will issue a similar opinion as a Type 1 with the addition of operating effectiveness. Controls are evaluated over a period of time, typically a 12 month period. The report shows descriptions of control tests and results by the auditor. Who can audit my SOC 2 compliance? Any certified public accountant (CPA) affiliated with the AICPA can perform a SOC 2 audit. Realistically, technology-forward businesses should hire an auditor that is familiar with the SOC 2 framework. They can quickly and easily evaluate a security posture. While that does include big-name firms, there are plenty of accounting firms that specialize in security audits that cost much less. How long does a SOC 2 audit take? A couple of weeks to several months. Unfortunately, the length of the audit is variable. It can last anywhere from a week to multiple months. This is based on preparation, organization of evidence, and communication with auditors. Next Topic SOC 2 Report This chapter will help you make sense of your SOC 2 report, providing you with an overview... Read topic icon-arrow
