The following appeared as an article on Security Boulevard
We’re often asked by our customers who are embarking on the SOC 2 journey: Can we skip the type 1 SOC 2 and go straight into a type 2 SOC 2? The rationale is that instead of paying for two audits they can only pay for one. It seems like an easy choice right?
However, this is not a decision to be taken lightly as there are many pros and cons to jumping directly into a type 2. The cost can end up being higher overall, more can be expended without any time saved, and there is a greater risk of a discrepancy on your SOC 2 report. While it is possible to take a ‘running start’ to a type 2, it is rarely recommended. The driving force behind the decision to aim for a running start must be so compelling that the end result will outweigh the risks.
There are some misconceptions floating regarding the process of achieving a SOC 2 Type 2 via a running start. Here are a few myths debunked:
Myth 1: Going straight into a type 2 will be faster
Not necessarily. If your auditor finds a control issue (aka a test deviation), you will need time to remediate it and to find enough samples for your auditor to test. Not having enough samples, could delay your auditor by up to 45 days. Also, consider the outcome of the report. Ideally it will be pristine, meaning an ‘unqualified’ audit opinion and with no deviations. A running start increases the risk of a ‘qualified’ report with many divisions. While having a report with a handful of deviations may be acceptable, it is far from ideal. Note that even AWS and Azure have deviations in their control environment every now and then, but they are industry behemoths that can afford a control hiccup.
Myth 2: Going straight to a type 2 will cut down on the cost of the audit
It might. However, it’s important to consider the number of hands on deck required to prepare, and then get through the audit. If developers get sucked into compliance, which is possible in smaller organizations, their involvement will impact the speed with which product enhancements or functionality get out to market. In small organizations, this may not be an acceptable trade-off. Additionally, the audit will be delayed if your auditor discovers that some of your processes or controls are not operating at an acceptable level. In this scenario a type 2 audit can be delayed, precipitating the need for retesting and more audit fees.
Myth 3: My organization is ready for a type 2
Maybe, but how do you know for sure? Processes will need to be clearly defined, repeatable, and working flawlessly every time. New processes can be cobbled together to meet an audit requirement, but the tradeoff may be a poorly designed, cumbersome, and temporary solution. In your haste to become audit-ready you may inadvertently impact the culture at your organization. For example, rolling out a new change management process without considering the impact to those who must follow it may lead to circumvented controls as your developers push back.
The safer bet!
A more prudent route is to invest in a pre-audit readiness assessment so you can see exactly where you stand, where you may have gaps in coverage, and how to effectively bring your people, processes, and technology into the compliance fold. After a readiness assessment you may be ready to dive into a type 2. Or if you’d like an independent audit of your program, you can engage an auditor for a type 1. The benefit to this approach is if the auditor finds a process that is poorly designed, you will have time to tighten up the process prior to your type 2.
Standing up an audit-ready compliance function will be a substantial effort that will pull folks away from their important day jobs. Getting audited will then compound the effort. The decision to undertake a running start SOC 2 Type 2 must be carefully considered. If the type 2 is a roadblock to a key contract, then it may be worth the risk and effort. If you do decide on a running start, budget for extra help to get you over the hurdle, such as third-party consultants or automated compliance solutions.