We recently completed a SOC 2 Type II audit.
Yes, this blog post is about SOC 2 Type II audits.
Wait! Don’t leave. If you use SaaS products—or depend on any other service provider like us—knowing something about SOC 2 engagements is well worth your time.
Why? Because if you rely on cloud-based service providers (providers like FullStory), you need to be confident that those providers securely handle your data. How do you build that confidence?
And that’s where an outside, objective assessment comes in. And that’s why SOC 2 attestations exist.
Audit? Attest? What Does It Mean?
“Audit.” “Attestation.” What do these words mean: Is it some kind of test? Does it involve the IRS? No and no.
Audit. If you’re like me, this word conjures up questions—the scary kind. Don’t be alarmed. In the context of a SOC 2 engagement, think of an audit as asking a third party to look for evidence that something exists—or that something happened.
A couple careers ago I was a financial auditor. That experience taught me one thing: Audits are boring—both because they are methodical, rule-based, and rigorous and because if the company being audited is doing what they’re supposed to be doing, the auditor doesn’t find (m)any surprises.
Audits collect and document proof that things are as a company says they are. It’s a process of verification.
Attest. That brings me to “attest.” An “attestation” is just a report by a third-party that the verification process took place. It’s a signed statement that things are, in fact, as they are said to be.
Put it together: for SOC 2 Type II, an audit of a company’s internal controls is performed. The result is a report called an attestation.
Great … Now What Does SOC 2 Type II Mean?
Put as simply as possible, SOC 2 Type II audits like the one we completed at FullStory require an accredited third-party (a CPA firm accredited by the AICPA, and in our case, KirkpatrickPrice) to audit and attest to three things:
The description of our internal controls.
What systems or processes govern how we operate at FullStory?
That our internal controls are suitably designed and implemented.
(Based on specific criteria for these sorts of engagements. More on this in a moment.)
That our controls are effectively operating—that is, being followed—over a period of time.
SOC 2 Type II audits examine a set time period. Therefore, the resulting report covers that specified period. (This is as opposed to the controls at a specific point in time, which is covered in a SOC 2 Type I report.) FullStory’s first SOC 2 Type II report covered May 1, 2019 to July 31, 2019.
About those specific criteria examined for this engagement. FullStory’s SOC 2 Type II audit focused on controls regarding security, confidentiality, availability, and processing integrity—and these are specific focus criteria under the AICPA’s Trust Services Principles, which serve as the foundation for any SOC 2 audit.
Why SOC 2 Type II?
It’s our responsibility to securely store customer data. How do we prove to customers we’re doing that? That’s where a SOC 2 engagement comes in.
A SOC 2 Type II audit is just a way to get third-party verification that we are operating with security controls in place—all for the purpose of securely storing customer data.
We asked KirkpatrickPrice to conduct a SOC 2 Type II audit and report on their findings. It’s some proof. And we’re more than happy to provide it.
So That’s That.
Well, yes and no.
If you recall, SOC 2 Type II engagements cover a period of time. In our case, the engagement looked at the period from May 1, 2019, to July 31, 2019. This short period for our first report ensured we received quick feedback about our program compliance; we will be extending the audit period in the future.
In other words, while we’re “done” insofar as completing this first engagement, we’re not done done.
We must continue to operate in accordance with our controls from now on—that way, future SOC 2 Type II engagements will result in the same attestation, which is as it should be.
For customers looking for the details of our SOC 2 report, please contact us.
Here's our official press release announcing the achievement. And if you want to learn more about how we think about things like security at FullStory, see our page on responsibility or peruse our articles under that tag.