How to Bridge From SOC 1 to SOC 2
“Your problem is to bridge the gap which exists between where you are now and the goal you intend to reach.”
Earl Nightingale said that. He was known by millions for his five-minute radio commentary program, ''Our Changing World,'' which became the most syndicated radio program ever. That was decades ago, but this particular quote still rings true for those of you trying to figure out what next step to take with your compliance.
You may already be familiar with SOC 1—maybe you went through that audit because your customers asked to understand how your services would impact their internal controls over financial reporting. A reasonable enough request, but a very specific one.
Now, maybe you’re wondering how to expand beyond that niche of SOC 1, and the most obvious choice is its brand brother—SOC 2.
But how do you make that leap?
In this article, we will detail how to bridge from your completed SOC 1 to a completed SOC 2. We’ll go over the similarities between the two processes, the differences, and how you can use what you’ve got to streamline that next experience.
Knowing all that, you’ll be better prepared to take your next step toward providing your customers with further assurances. You’ll know what to expect and how to achieve a best-case scenario for your SOC examinations.
Why Should You Bridge from SOC 1 to SOC 2?
In our experience, SOC 1 audits are driven by customer demand. All compliance is, but chances are that’s what got you started. Chances are, your customers have also started wondering about a SOC 2 as well, and there’s reason for that.
But you’ve just gone through one arduous audit. Even if your customers may be rumbling about a new SOC 2, why should you put yourself through that?
In a word? Growth.
If a SOC 1 focuses on the impact on your existing customers’ financial reporting environment, SOC 2 answers the questions related to whether your organization keeps its promises and if it does so in a secure way to current and future customers.
A more holistic approach than SOC 1, nowadays a SOC 2 examination is becoming a pedestrian requirement vendors need from their potential providers. So if you’re wanting to expand your business reach, a SOC 2 is a solid investment that can pave the way.
What Carries Over From SOC 1 to SOC 2
That’s because, unlike SOC 1, SOC 2 will pit your system against the AICPA’s designated security requirements to assess your organization’s controls on information stored in a system.
You’ll recall that, during your SOC 1, you had to perform a risk assessment. From those results, you designed a series of control objectives you then put in place to mitigate those risks discovered that could potentially impact your customer’s financial reporting control environment.
When pivoting to SOC 2, you’re able to take these control objectives you’ve already worked out and apply them to the appropriate trust services criteria. Many of your SOC 1 objectives will fall under the “Security” category for SOC 2, but depending on what they are, some may be sprinkled across the other categories, depending on what you include.
Once your assessors do apply them all, they’ll be able to identify gaps and save you audit time by focusing on those weak points as opposed to starting a SOC 2 engagement with no such basis.
What SOC 2 Report Type Should You Opt For After Completing a SOC 1?
Because there is a delta between SOC 1 and SOC 2, your report type becomes even more important when bridging.
You already decided between a Type 1 (a point-in-time assessment)—and a Type 2 (evaluation over time) when you completed your SOC 1. SOC 2 operates with the same types, but you’ll need to consider a few things at this juncture before moving forward with your new examination:
- Customer Obligations: We said before that SOC 2 can help your organization grow. In making you stack your controls against AICPA-approved criteria, your customers can rest more assured you’re protecting them. In that, they’re better served by a Type 2, given that it is generally thought of as more thorough than a Type 1.
- Timeline: But a Type 2 report takes time—that’s the entire point. Do you have enough to accommodate the necessary reporting period or do you need to get something done more quickly? In that case, a Type 1 might be best.
- Preparation: A Type 1 also allows for a little leeway, in a sense. Even if you’ve got the time and budget to jump straight into a Type 2, doing a Type 1 (first) can help you feel more comfortable about your environment regarding SOC 2. You will be switching gears in terms of evaluation criteria, and the Type 1 can help you identify any gaps ahead of the more extensive testing that the Type 2 demands.
The Type 2 SOC 2 report may be the ultimate goal, but at the end of the day, every organization will be in a different situation coming out of their SOC 1 experience. If you are interested in bridging to a SOC 2, you’ll need to account for all your internal elements so that you ensure you have another positive compliance experience on your way to giving your customers what they want.
How Different is the Audit Process Between SOC 1 and SOC 2?
You know how all this works already.
When you went through your SOC 1 examination, your management team or executives made the decisions in delegating audit responsibilities to different control owners. Those control owners were obligated to work with your auditors in providing evidence and interviews proving you are doing the work to mitigate any potential impact on your customers’ financial reporting.
Good news—the process is basically the same for your SOC 2.
When your auditors come in for the second time in your SOC 2, they’ll just expand their viewpoint from their previous work. No longer is it about general control objectives—your scoped system will be matched against the criteria laid out by the AICPA, which are a bit more holistic and may be tricky.
- Common SOC 1 control objective: “Logical access to the in-scope system is limited to authorized personnel.”
- SOC 2 criterion: “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.”
Many times, the same evidence can be used to satisfy both, but you should prepare for that also to not be the case since it doesn't always work out like that.
While it won’t feel any different going through a SOC 2 after a SOC 1, the major thing to know is that the SOC 2 focuses not only on your risk assessment and controls but also on the services commitments you make related to your services.
This is an important expansion of scope, and some things you’ll need to account for are the extra evidence that may become necessary and the related possibility of adding new control owners. Other than that, the brunt of the change will be on your assessors.
Of course, if you’re ambitious with your SOC 2 and extend beyond the standard Security Category criteria, that will mean more build-out and work on your part. But in our experience, most organizations do opt for a baseline SOC 2 of just the 33 Security Category criteria to begin.
How to Prepare for a SOC 2 After a SOC 1
Despite our touting the similarities you can expect, it’s like you’re still a bit apprehensive going into a SOC 2. How should you prepare so that you can alleviate that anxiety?
Your assessor can help you understand how much of your SOC 1 can be leveraged—those control owners already understand how the process works. To help streamline your SOC 2, propose knowledge sharing between those people and the ones you may need to add in so that they too know what to expect.
- Identifying these points of contact for your auditors before they ever show up.
- Establishing the purpose of a SOC 2 audit with relevant personnel (i.e., clearly articulating why this second assessment is being done to secure buy-in from employees)
- Assigning tasks to those people so that your third party is not scrambling to find time.
- Ensuring your project manager schedules meetings that include all relevant personnel.
Speaking from our perspective, the big issue we run into on these audits is not knowing who to speak to and therefore tracking them down. From there, things snowball into that person not having the time or knowing where the evidence is, which bogs down your process.
But if you get ahead of the details and sort it all out beforehand, not only will your assessors not trouble anyone else other than the people they need to for evidence, but the conversations will go quicker too since your staff will have time to prepare.
This will be especially critical if you do add categories beyond Security. Because your control objectives from your SOC 1 will generally be lumped into that first category, adding more to it will surely mean pulling more folks into the audit. While you’ll of course want to get with those new control owners as to whether their evidence achieves the relevant criteria, ensuring they are ready for the process is crucial too.
Should You Just Do a SOC 1 and SOC 2 Simultaneously?
Maybe you aren’t sitting on a completed SOC 1 examination. Maybe you understand you need one because your customers have indicated that you impact their control environment.
It may be in your best interest to go ahead and explore SOC 2 as well because if you do them at the same time, we’ve established that it doesn’t make double the work for you. And there are a few benefits to doubling down on audits simultaneously, both externally and internally:
- Added assurances for existing and prospective customers: If a business is looking for your services the SOC 2 can provide the comfort your potential customers want and the comfort your existing customers need.
- Added assurances for your customers regarding your broader data security: They may already be clamoring for a SOC 2 report from you.
- Fewer internal meetings/streamlined planning periods: You can work with your assessors to satisfy control objectives and criteria at the same time.
- Cost-effectiveness: Some firms—like Schellman—can work with you on price if multiple compliance initiatives are bundled.
But of course, it’s not so easy. Adding on another examination means approvals from the budget and senior management—there may be some things to iron out within your environment as well.
But it is possible to conduct both at the same time, so if you think you may be interested in SOC 2 in the future, it may benefit you to go ahead and make that leap now (or at least start with a readiness assessment).
Next Steps for Your SOC Examination
For a lot of organizations, SOC reports often feel like a natural first step when delving into compliance. If you’ve recently completed a SOC 1 examination and are looking to keep moving forward, you now understand the particulars of how to bridge to the less niche, more comprehensive audit that is SOC 2.
To continue making more sense of SOC 2 and its intricacies as you prepare to cross over, check out our other content on the subject that will deconstruct various aspects:
About Jose Benevidez
Jose Benavidez is a Senior Associate with Schellman. Prior to joining Schellman, Jose worked on SOC engagements, Privacy Assessments (GDPR), and testing of IT general controls as part of SOX financial audits. As a Senior Associate with Schellman, Jose is focused primarily on SOC 1 and SOC 2 audits for organizations across various industries.