Q&A – SOC 2 with Ty Brush from A-LIGN

As part of Assent’s mission to champion the consultancy industry, Jess from Assent Risk Management has been interviewing experts from all sectors of the consulting profession. In this interview, Jess talks to the division vice President of Sales at A-LIGN, Ty Brush about SOC 2.

What is SOC 2?

SOC 2 is an internal controls report applicable for service organisations that does not impact their customers’ financial reporting. A more general definition is, SOC 2 is an internal controls report. So we’re looking at the internal controls of a business, and we’re judging if those controls mitigate a certain risk that is published by a regulatory body. In this case, it would be the American Institute of Certified Public Accountants (AICPA). And then to bring the definition down one level down, in a more general term, it’s a third-party vendor management report, meaning it’s a report that gives your customers the assurance that you’re meeting a minimum best practice of information security.

Who are SOC 2 audits designed for? 

It is a service organisation type report, meaning it’s most applicable to those businesses that are service organisations. If you are providing a service to a business or a consumer, you are technically applicable to a SOC 2 audit. Now, with that said, the majority of businesses that do undergo SOC 2 audits would be those in the software space or the tech space, as they have the highest propensity of impacting information security or data security.

What are the components of SOC 2 compliance?

A SOC 2 report, that is what you’re delivering or you’re receiving at the end of the audit, is made up of essentially five components. So the deliverable itself is quite robust, typically it would be about 100 pages in length. 

The first thing that a customer is going to find is a management representation letter. Now, this is unique to SOC 2. This is a requirement that actually came down through the ranks after Enron, when there was kind of some fraudulent activity where management wasn’t necessarily reporting the truth. So on every single SOC 2 report that exists, the company that is being audited, the management must sign a representation letter stating that everything that they’ve provided to the auditor, to their knowledge, is true and accurate. 

The second component is an actual opinion letter, this opinion letter has to be signed by a certified public accountant, (CPA). Most of the time those CPAs are going to be US based as it is an American-regulated institution. But that opinion letter is the auditor opining on the fact that this business or the scope that has been tested either meets the SOC 2 criteria or does not meet them. 

Then after that is where I really think we start to see the value that SOC 2 brings and why a lot of businesses nowadays are turning towards SOC 2, and that is the system description. So within a SOC 2 report, there’s quite a lengthy section that is made up of a description in a narrative form of what the business does and, what was the scope that was tested on the day. 

Then what are some of the technical components within their business describing things like infrastructure, different third parties that they may utilise to provide their service, and then some high-level information on their information security practises in policies and procedures. So that system description gives the reader of the report a really good idea of what are the components of this business that they need to be aware of. It gives you kind of a look under the hood, so to say, of what’s to come in the next section of the report, which is the testing matrices.

So again, unique to SOC 2, the reason why this is such a large deliverable is that the fourth section of the report would be the actual controls. So if you review a SOC 2 report, you’ll see that there are listings line by line of what was the criteria as published by the standard, and then what is the specific internal control that the business has in place to mitigate that risk that was identified. So you get to see the details of exactly what this business that was audited has in place from a control standpoint and then ultimately what were the auditor’s findings.

And that leads me to the final piece. SOC 2 does give management, so in this case the customer, the ability to respond to any findings that might have been in the report and that is the fifth component. So if you do have any ‘nonconformities’, as they’re known in ISO, or in this case, ‘exceptions’ as they are known in SOC 2, the management team does have the ability to respond and just let the reader know what was the action item that they took after finding out that they do, in fact, have an exception or non-conformity.

What does SOC 2 mean for UK businesses?

It is called an American standard because the regulatory body that has published and regulates and manages the SOC 2 standard is the American Institute of Certified Public Accountants or the AICPA. So it’s the regulatory body and they’re based in the US. But SOC 2 is still very much a global standard. I personally obviously represent A-LIGN, AMIA and APAC region, and we have customers from Hong Kong to Spain to the UK and obviously the States and abroad. So there’s really no piece of the world that isn’t applicable to it. 

And the reason why, specifically UK businesses should be interested in SOC 2 is, if the US is a strategic market for them, so for example if you are a UK business, let’s say you’re a software company in the UK, and you know that one of your strategic go-to-market strategies is going to be to sell into the US. As it is one of the larger economies in the globe, then you should know that SOC 2 is likely going to be a requirement for you down the road. Most US-based companies are very used to receiving SOC 2 reports, and that ends up being their third-party vendor management requirement. So it can be a bit of a barrier to entry if your team isn’t aware of what SOC 2 is or you don’t currently have one. 

Whereas ISO 27001 [Information Security], which is kind of the cornerstone of information security in the UK and Europe, most businesses have that in place or are aware of it. So it’s just learning a little bit about SOC 2 and why you should be aware of it if the US is a strategic market.

And then the other thing that really has changed, over the last three years or so is that we are seeing regulated industries within the UK, specifically central government, that is putting out different tenders or RFPs that actually call out SOC 2 as a requirement in combination with ISO or sometimes instead of ISO. So if you are working in a regulated industry in the UK banking, insurance, [or] healthcare, you should be aware that SOC 2 could be coming down the pipeline as a requirement for your team.

What are the differences between SOC 2 and ISO 27001?

So I guess I’ll start with the similarities. One, they both address information security. So obviously, ISO [27001] is an information security management system certification. And just like that, SOC 2 is very much focused on infosec. They both mitigate information security risks. So, again, in the basis and the core components of both standards and then also on the similarity side, they’re used to ensure that proper controls are in place and instil trust from your customer base. If you have either or both, it’s telling your customers that you should trust our team, we have the proper security controls in place.

So those are the similarities where I think the two tend to differ, is largely in the deliverable. So an ISO 27001 certification is just that. It’s a certification and you receive a certificate. That certificate is typically a one to two-page PDF that has some stamps and seals on it and also your scope and will essentially give your customer assurance to say, if you have this certificate, we know you’ve been audited by a third party and you’ve been certified to the standard. 

SOC 2 is not a certification, it’s actually known as an Attestation. If you ever see a business saying that, ‘we’re SOC 2 certified’, it’s just they don’t know that it’s not technically a certification. So you would want to say you’re SOC 2 compliant and that you’ve received an independent Attestation to prove that. So the deliverable is different. 

We mentioned ISO one to two pages. SOC 2 would be arguably up to 100 pages. So you get a little bit more depth into what was tested rather than just receiving, you know, a one page document. 

The other thing I would say that differs is ISO 27001 tends to be very policy-based and is very management centric. It’s in the name of the standard itself. So it’s focusing on how is management involved in the information security process. SOC 2 tends to be a bit more technical. It does rely on policies and procedures, but it will go into the minutiae of what are the specific security configurations that you have within your AWS environment. So it does get into the details, and that’s where we tend to see customers experience a little bit of a different audit.

Who can perform a SOC 2 audit?

So the only organisations out there that can issue an accredited SOC 2 report would be a certified public accountant. So my recommendation to businesses is always before you were to engage with a SOC 2 auditor, you should travel to the AICPA’s website. There is a peer-reviewed search bar where you can type in the business’s name and then find out if they are actually accredited or if they have gone through a recent peer review to uphold the AICPA’s requirements to be an issuing body of a SOC 2 report. 

Any CPA can technically issue one and this often confuses people as CPAs are the people that do taxes and financial audits. So the next layer or the secondary layer of investigation you would want to do as a prospecting SOC 2 customer is saying 1. I’ve identified that they are a CPA firm, great. But now I need to find out what is their experience in SOC 2. Is SOC 2 a core component of the CPA’s business or is it just something that they do during when it’s not tax season aligned? We’re solely an information security firm, so we are a CPA firm, but we don’t do tax, we don’t do finance, and we only focus on information security or cybersecurity audits. But there are other firms out there as well. So we would just always recommend doing your due diligence on your auditor, just like you would for any other standard.

Thank you Ty for participating in this interview, if you need help support with SOC 2 please contact Assent to talk to a consultant.

Need help with SOC 2?

Contact us to talk to a SOC 2 consultant.

Jessica Inglis
Jessica Inglis
Articles: 35