Webinar
SOC 2+: Enhancing SOC 2® compliance with additional frameworks
Feb. 26, 2025 · Authored by Garrett Gosh, Kelly Bourbon, Jacob Mahkorn
Loading...
Webinar
Feb. 26, 2025 · Authored by Garrett Gosh, Kelly Bourbon, Jacob Mahkorn
Cybersecurity risks and technological threats become more evolved – and more dangerous – every day, putting questions surrounding client data security, transactional process integrity and data availability during potential downtimes at the heart of successful risk management. System and Organizational Controls (SOC) 2 and SOC 2+ examinations can help address these critical issues.
In this recent webinar, Baker Tilly SOC specialists broke down SOC 2+ preparedness, pros, cons and authoritative guidance use cases.
As SOC 2+ builds upon the original framework of SOC 2 with additional components, it is important to first begin with an understanding of SOC 2 and how the two differ.
SOC 2 is a framework that evaluates a service organization’s ability to protect data belonging to its user entities (i.e., customers). It focuses on the security, availability, confidentiality, processing integrity and privacy of the customer data in the system. This evaluation is performed by an independent Certified Public Accountant (CPA) firm which provides a reasonable assurance opinion over the design, implementation and operating effectiveness of the internal controls.
When a SOC 2 examination includes an additional opinion about matters that are not normally within the scope of the SOC 2 examination, it is referred to as a "SOC 2+" examination. This means that an additional security-centric framework has been incorporated into the SOC 2 examination.
These additional frameworks, as a part of a SOC 2 examination, help organizations meet multiple compliance requirements and enhance their overall security posture. The selection of frameworks depends on various factors such as the industry, types of data hosted and/or processed by the service organization and regulatory requirements.
Based on your organization's specific needs and compliance requirements, a Baker Tilly risk advisory specialist can help you tailor your efforts to your unique circumstances and help ensure you meet necessary requirements without overburdening your resources.
According to the American Institute of Certified Public Accountants (AICPA) SOC 2 guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (paragraph 1.71), in some situations, two separate engagements with two separate reports may better serve the user’s needs compared to a SOC 2+ engagement. In such cases, management and the service auditor may work together to determine the type of engagement and report that would best meet the user’s needs. Our collaborative approach helps ensure that the chosen engagement aligns with the organization’s objectives and provides the necessary assurance to stakeholders.
When deciding whether to pursue SOC 2+, your organization should consider several factors to help ensure the proper course of action. SOC 2+ may or may not be the best option when “assurance” over multiple frameworks is required to satisfy contractual obligations with customers or adhere to regulatory requirements. While SOC 2+ can reduce audit fatigue and satisfy multiple requirements at once for broadly applicable controls, it is a longer, more complex report that will result in higher fees compared to a standalone SOC 2.
Baker Tilly can help you determine which approach is best for your organization. Connect with us.
While the guidance for categorizing SOC is issued by the AICPA, it isn't the only type of examination an organization may complete. The AICPA defines three types of examinations: assertion-based, direct and compliance. These examinations share three important characteristics: they all provide reasonable assurance, they must be conducted by an independent CPA, and they are designed with risk and materiality in mind.
Although differentiating between these examinations may seem complex, the general purpose of each is the same: to assess whether criteria are being followed. For example, in an assertion-based examination, your auditor will provide an opinion on the fairness of management's assertion regarding compliance. In a direct examination, rather than management's assertion of compliance, your auditor will examine the criteria directly to form a professional opinion, rather than relying on management’s assertion. The third type, a compliance examination, evaluates an organization's compliance with requirements often necessitated by governmental agencies seeking to determine an organization’s eligibility for grants or funding.
By completing this SOC 2 readiness self-assessment, you'll gain valuable insights into your current readiness state and identify areas for improvement.
Regardless of the examination type, if your organization is being asked to validate whether certain criteria are met, an examination may be the correct course of action.
