SOC 2+: Enhancing SOC 2® compliance with additional frameworks 

Cybersecurity risks and technological threats become more evolved – and more dangerous – every day, putting questions surrounding client data security, transactional process integrity and data availability during potential downtimes at the heart of successful risk management. System and Organizational Controls (SOC) 2 and SOC 2+ examinations can help address these critical issues. 

In this recent webinar, Baker Tilly SOC specialists broke down SOC 2+ preparedness, pros, cons and authoritative guidance use cases.  

A SOC 2 refresher 

As SOC 2+ builds upon the original framework of SOC 2 with additional components, it is important to first begin with an understanding of SOC 2 and how the two differ. 

SOC 2 is a framework that evaluates a service organization’s ability to protect data belonging to its user entities (i.e., customers). It focuses on the security, availability, confidentiality, processing integrity and privacy of the customer data in the system. This evaluation is performed by an independent Certified Public Accountant (CPA) firm which provides a reasonable assurance opinion over the design, implementation and operating effectiveness of the internal controls. 

A SOC 2 is: 

• An examination providing reasonable assurance 
• Intended to promote trust between a service organization and its user entities 
• Inclusive of an opinion provided by an independent CPA firm 

And a SOC 2 is not: 

• Absolute assurance 
• A guarantee that commitments made to customers are met 
• A one-size-fits-all report 
• A replacement for internal controls 

Increased outsourcing to third-party service providers has led to an increased demand for vendor accountability. Undergoing a SOC 2 examination can provide assurance to your customers that your internal controls and processes are properly designed, implemented and operating effectively, and that their data is protected. 

What is a SOC 2+? 

When a SOC 2 examination includes an additional opinion about matters that are not normally within the scope of the SOC 2 examination, it is referred to as a "SOC 2+" examination. This means that an additional security-centric framework has been incorporated into the SOC 2 examination.

Some of the additional frameworks that may be included as part of a SOC 2 examination are as follows: 

These additional frameworks, as a part of a SOC 2 examination, help organizations meet multiple compliance requirements and enhance their overall security posture. The selection of frameworks depends on various factors such as the industry, types of data hosted and/or processed by the service organization and regulatory requirements. 

Based on your organization's specific needs and compliance requirements, a Baker Tilly risk advisory specialist can help you tailor your efforts to your unique circumstances and help ensure you meet necessary requirements without overburdening your resources.  

Pros and cons of a SOC 2+ examination 

According to the American Institute of Certified Public Accountants (AICPA) SOC 2 guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (paragraph 1.71), in some situations, two separate engagements with two separate reports may better serve the user’s needs compared to a SOC 2+ engagement. In such cases, management and the service auditor may work together to determine the type of engagement and report that would best meet the user’s needs. Our collaborative approach helps ensure that the chosen engagement aligns with the organization’s objectives and provides the necessary assurance to stakeholders.  

When deciding whether to pursue SOC 2+, your organization should consider several factors to help ensure the proper course of action. SOC 2+ may or may not be the best option when “assurance” over multiple frameworks is required to satisfy contractual obligations with customers or adhere to regulatory requirements. While SOC 2+ can reduce audit fatigue and satisfy multiple requirements at once for broadly applicable controls, it is a longer, more complex report that will result in higher fees compared to a standalone SOC 2.    

Baker Tilly can help you determine which approach is best for your organization. Connect with us.

AICPA examination guidance use cases  

While the guidance for categorizing SOC is issued by the AICPA, it isn't the only type of examination an organization may complete. The AICPA defines three types of examinations: assertion-based, direct and compliance. These examinations share three important characteristics: they all provide reasonable assurance, they must be conducted by an independent CPA, and they are designed with risk and materiality in mind. 

Although differentiating between these examinations may seem complex, the general purpose of each is the same: to assess whether criteria are being followed. For example, in an assertion-based examination, your auditor will provide an opinion on the fairness of management's assertion regarding compliance. In a direct examination, rather than management's assertion of compliance, your auditor will examine the criteria directly to form a professional opinion, rather than relying on management’s assertion. The third type, a compliance examination, evaluates an organization's compliance with requirements often necessitated by governmental agencies seeking to determine an organization’s eligibility for grants or funding. 

Regardless of the examination type, if your organization is being asked to validate whether certain criteria are met, an examination may be the correct course of action.