Content
SOC 2 Guide for Startups
Let's breakdown the cost, timeline, and process for SOC 2 for startups - so your customers and partners understand how you're protecting their data
Cost
For an organization with <30 employees, a Type 1 audit typically costs $3-$8k while a Type 2 audit costs $5-$10k. This does not include the cost of GRC (Governance, Risk, Compliance) software ($7k+), software/services that will likely needed to be procured as they’re the easiest way to satisfy certain controls such as a penetration test ($4k+), services to implement or consult on the SOC 2 process, and the investment of hours by the team which are ongoing.
Timeline
Once you’ve engaged an auditor, there’s typically a ~6 week period prior to the observation period where they will identify major gaps and give you the chance to address those. Then, the minimum observation period for an audit is 3 months. You can decide with an auditor if you want it to be longer e.g. 6 months which can provide more assurance to buyers but is not necessary. Note, it’s possible to extend or change the timeline, but there can be an additional fee for doing so.
Process Guide
Prior to the audit
Selecting an audit firm
Select for familiarity with startups of your size and tech stack, easy to work with while being reputable to vendors, at the best price given these constraints. We have recommended vendors
Preparing for the audit
GRC software such as Vanta essentially abstracts away the vast majority of the required prep. The output of this software is:
Description of systems and system boundaries
Risk assessment of the systems
Scopes in what is relevant & critical to your company, scope out other third party providers and this results in controls that are relevant to your SOC 2
Policies and documentation of controls, monitoring, and responses to incidents
Evidence collection including an explanation of what each control applies to, which parties are responsible for the procedure, the frequency the activity, and source of evidence
Remember, garbage in is garbage out. Software like Vanta walks through procedures and organizes evidence, but auditors will actually check whether controls are applied in good faith so it’s important organizational processes are actually in place prior to an audit
Planning w/ Auditor involved
~6 weeks prior to an official kick off, engage with an auditor so that 1) they can schedule resources for your audit, 2) they can evaluate if there are any obvious gaps that can be filled
Gaps will likely be identified around whether description of systems, system boundaries, and controls are suitable and encompass the required details given the risk assessment and business
Audit
The auditor will evaluate description of systems to make sure they include the subject of the control, person or parties responsible for processes, frequency or timing, activity being performed, and source of applicable information
The auditor will review evidence of controls, potentially using sampling
Example of testing of control
The auditor will review the nature, frequency, and other context of identified incidents in order to evaluate the result of tests
Example of evaluation of testing of controls
Finally, the auditor will prepare a SOC 2 report which includes management assertions and responsibilities, results of evidence gathering and risk assessment, this result in an overall auditor opinion on whether controls were fairly presented, well designed, and operated effectively
SOC 2 is a report, a company cannot pass or fail it, you want to minimize the amount of exceptions and especially material exceptions on the report
SOC 2 vs SOC 1
SOC 1 evaluates a company’s practices related to financial reporting, SOC 2 evaluates information security practices that protect its customers’ data.
SOC 2 Type 1 vs Type 2
Type 1 assesses the design of the company’s systems and strategies, however controls are not actually evaluated for effectiveness (Type 2 tests for control effectiveness).
Type 1 provides an opinion as of the specific date in the report, while Type 2 audits cover a range of time, typically 12 months from the date of the report.
Reports need to be renewed before the end of the period coverage, normally annually