FAQ: How does a company get SOC 2 certified?

FAQ: How does a company get SOC 2 certified?

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer is you start by understanding your scope (the system, SOC 2 categories, etc.), performing a readiness assessment, and then undergoing either a Type 1 and/or Type 2 assessment by a CPA firm. You’ll end up with a detailed report stating the effectiveness of your controls, which, ultimately is what someone would refer to as being SOC 2 certified.

Additional FAQs

Can I fail a SOC 2 audit?

Yes, failure to meet the relevant Trust Service Criteria may result in a failed SOC 2 audit, requiring remediation. This is known as a Qualified Opinion when this happens.

SOC 1 Report – Who needs it?

Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.

SOC1 vs SOC2: Differences?

At a high-level, SOC1 is about financial controls, while SOC2 focuses on information security controls. They serve different end-user customers and stakeholders.

What is a SOC 2?

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

Get Our Emails

SOC Reporting Guide