SOC 2 for SaaS companies: from first question to report

IT-audit10 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

You are a growing SaaS company. The first enterprise customers are knocking on your door, and with them come the security questionnaires. Almost every questionnaire contains the same question: do you have a SOC 2 report? The answer is no, and you notice that deals slow down or come to a complete standstill. That is the moment when most SaaS companies start thinking seriously about SOC 2.

SOC 2 is an audit standard developed by the AICPA (American Institute of Certified Public Accountants). It assesses the internal controls of a service organisation on the basis of five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. Security is always mandatory. The other criteria are optional and are chosen based on the service provided and the expectations of customers.

Type I versus Type II

The first decision is the choice between Type I and Type II. A Type I report assesses the design of your controls at a specific point in time. It says: on this date you had the right measures in place. A Type II report assesses both the design and the operating effectiveness of your controls over a period, usually six or twelve months. It says: over this period your measures demonstrably worked.

For SaaS companies that need a report quickly, Type I is a logical starting point. The process is shorter (typically two to three months) and you do not have to collect historical evidence. But be aware that enterprise customers increasingly expect a Type II report. Our recommendation is to use Type I as a stepping stone and to build directly on towards Type II.

What exactly is audited?

A SOC 2 audit assesses the controls you have put in place to meet the chosen Trust Services Criteria. This includes, among other things, access management (who has access to which systems and data), change management (how are changes to the application controlled), incident management (how do you handle security incidents), monitoring and logging (how do you detect anomalies), availability (how do you ensure uptime and disaster recovery), and data protection (how do you protect customer data at rest and in transit).

The auditor tests not only whether policy exists, but whether it is followed. For Type II, that means: show evidence across the entire audit period. Demonstrate that access reviews were actually carried out monthly, that changes went through the correct approval process, and that incidents were logged and addressed.

The costs and lead time

The costs of a SOC 2 process vary considerably, depending on the size of your organisation, the complexity of your infrastructure and the state of your current security measures. For an average SaaS company with ten to fifty employees, the costs for a Type II audit typically range between 15,000 and 40,000 euros, excluding the internal time you spend on preparation and evidence collection.

The lead time for a Type I process is two to three months. For Type II, you should count on an audit period of at least three months (six to twelve months is more common) plus two months for the assessment and reporting. It is wise to start the preparation well in advance.

The most common pitfalls

The first pitfall is scope creep. Organisations that select all five Trust Services Criteria without their customers asking for it make the process unnecessarily complex and costly. Start with security and availability. Add criteria if customers specifically ask for them.

The second pitfall is paper compliance. Writing policy is the easy part. The difficult part is consistently carrying out and documenting controls. An access review that is carried out monthly on paper but skipped in practice results in a finding in the report. And findings in a SOC 2 report are visible to your customers.

The third pitfall is starting evidence collection too late. For Type II, you must be able to produce evidence across the entire audit period. If, after three months, you discover that your change management logs are incomplete, you can no longer make up for that period.

How Secure Audit helps

We guide SaaS companies through the complete SOC 2 process. That begins with a readiness assessment: where do you stand now and what still needs to be done? We then help with setting up controls, establishing evidence collection and preparing for the audit. The audit itself we carry out as an independent IT auditor.

Our platform supports the entire process digitally: from work programme and information requests to evidence and reporting. That makes the process more efficient for both the client and the auditor.

Get in touch to discuss how we can help you obtain your SOC 2 report. We think along with you about the right scope, timing and approach for your situation.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us