866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

SOC Examinations & Attestations

SOC 2 Compliance Examinations

In providing a detailed overview of your organization’s control infrastructure, a SOC 2 examination will evaluate how you achieve your service commitments or promises related to security, service availability, data processing, confidentiality, and/or privacy—a process that Schellman makes easy.

Contact a Specialist

What is SOC 2?

First introduced in 2009, SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) as a set of requirements for internal controls to achieve service commitments based on trust services criteria contained within five categories—security, availability, confidentiality, processing integrity, and privacy—that are selected to suit your organization’s service commitments.

The Importance of SOC 2 Examinations

During a SOC 2 examination, an independent third party service auditor like Schellman would assess your internal controls and business processes against your applicable and chosen SOC 2 trust services criteria before providing a report you can share with customers and other stakeholders to reassure them that their data is safe with you.

The Benefits of SOC 2 Compliance

Investing in a SOC 2 examination can benefit your organization in multiple ways:
https://www.schellman.com/hubfs/improve-security.png

Provide Reassurance for
You and Your Customers

After you’ve worked to ensure your internal controls address the SOC 2 criteria for security (and other trust service criteria categories), an impartial third party will confirm the systems and processes you have in place to fulfill your service commitments.

https://www.schellman.com/hubfs/Untitled-1-1.svg

Gain Market Differentiation

Successfully passing a SOC 2 examination is objective evidence that you’ve taken steps to secure your customers’ data, which improves your credibility and brand reputation within your market.

https://www.schellman.com/hubfs/meet-compliance-requirements.png

Establish a Solid
Compliance Foundation

The SOC 2 examination has become a very popular compliance initiative—not just because your controls are up to an industry-accepted standard, but because they also sync well with other frameworks and regulations, like ISO 27001 and HIPAA.

SOC 2 Examination: Type 1 vs. Type 2

When having a SOC 2 examination performed, you’ll need to decide if you need a Type 1 or Type 2 report, as there are key differences in what—and when—they evaluate. While both Type 1 and Type 2 reports can be valuable tools for any organization that handles sensitive customer data, which type you choose will depend on your specific needs and goals, and Schellman will work with you to help you determine which report best suits your business and compliance objectives.

Type 1 SOC 2 Report

Useful for organizations that want to demonstrate their commitment to data security to stakeholders and customers, a SOC 2 Type 1 report evaluates how well-designed and implemented your controls and processes are at a specific point in time. 

Type 2 SOC 2 Report

On the other hand, a SOC 2 Type 2 report is an evaluation over a period of time—typically six months or more. During the examination, your auditor will assess how well-designed and implemented your controls are, as well as whether they’re operating effectively in meeting your chosen trust services criteria categories. 

What to expect for your SOC Examination

We begin each project with your end goals in mind while laying the groundwork for future key project activities. Effective communication and timely coordination of project planning activities are central to our methodology.
Image

Phase 1: Planning and Preparation

The most important step in any SOC 2 examination, this stage will ensure your controls and evidence with the agreed-upon terms and expectations set by your customers, as you and your auditors will work together to determine timelines, scope, and deliverables, among other items necessary to proceed with the examination.

Image

Phase 2: Evidence Request & Collection

The kickoff is considered the start of the engagement. If needed, Schellman will schedule a call at the beginning of, or just prior to, the kickoff to finalize any outstanding items. Schellman will be available to the client with any questions.

By including communication prior to starting, Schellman ensures that no last-minute changes to the project or team have occurred and the Client has the plan prior to the testing and on-site visit.

Image

Phase 3: Testing

After you’ve submitted the requested evidence, your auditors will perform process walkthroughs and interviews in combination with their evidence reviews and inspections—that includes any necessary follow-up conversations with evidence owners as well as cataloguing and documenting the test results.

Image

Phase 4: Reporting

Once testing is complete, you auditors will assemble a draft report containing the test results and other required process narratives and provide it to you for review. Once you approve the contents, it will be finalized for your distribution to customers and other stakeholders.

SOC 2 Jumpstart Guide

In this definitive guide to tailoring your SOC 2 examination, we’ve divided the decisions you’ll need to make into four sections that will progressively customize all the options you have into just the ones you need.

Read this and not only will you have a greater knowledge base on the particulars of SOC 2 internally, but you’ll be able to save time in sales calls, knowing exactly what you want from your auditor, and thereby get started quicker.

Read the Guide

SOC 2 Specialist

Chad Goubeaux

Chad Goubeaux is a Manager at Schellman with nearly 10 years of experience serving clients in auditing and IT compliance. He is a leader of the firm's SOC methodology group and contributes to the AICPA SOC 2 working group, helping to shape industry standards. At Schellman, Chad specializes in SOC 1, SOC 2, SOC 3, and HIPAA attestations. With previous experience in financial statement audits from a Big 4 firm, he brings a strong foundation in risk management and regulatory compliance. A graduate of The Ohio State University, Chad holds multiple certifications, including CPA, CISSP, CISA, CITP, and CCSK.

Meet Chad Contact Us

Frequently Asked Questions

Have a question? See a list of commonly asked questions below. If you still can't find an answer, contact us!

How Much Does a SOC 2 Audit Cost?

How Long Does a SOC Examination Take?

What is Included in a SOC 2 Report?

How Often Should I Get a SOC 2 Examination?

Talk to a Practice Leader

866.254.0000

Contact a Specialist

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.