Lliam:
Today we’re talking with Chris Nickell from NDB about SOC compliance. If you’re a service company that handles client data, what should you protect—and how does SOC apply to you?
SOC stands for System and Organization Controls. It was created by the AICPA (American Institute of Certified Public Accountants) to help service companies demonstrate how they manage and safeguard customer data.
Welcome to MIS, Chris. Thanks for joining us today.
Chris:
Thanks for having me.
Lliam:
Why does being SOC 2 compliant matter?
Chris:
At its core, SOC reporting is a tool to help organizations demonstrate their ability to manage risk. SOC 1 focuses on financial reporting controls, while SOC 2 addresses IT general controls like data security and confidentiality. SOC 3 is essentially a generalized version of SOC 2.
Lliam:
That’s where it gets confusing—SOC 1, SOC 2, SOC 3. How do companies know where to start?
Chris:
Back in the early ‘90s, there was an audit standard called SAS 70 focused on financial reporting. That eventually evolved into the SOC framework, beginning with SSAE 16 and SSAE 18. Now we have SOC 1 for internal controls over financial reporting—think payroll companies or outsourced accounting systems. SOC 2 focuses on IT general controls—data processing, security, and confidentiality.
Lliam:
Can you explain the difference between SOC 2 Type I and Type II?
Chris:
Sure. SOC 2 Type I reflects controls at a specific point in time—it’s like a snapshot. SOC 2 Type II covers a period of time, usually six to twelve months—like a short film. Type I sets the baseline, and Type II demonstrates how those controls perform over time. Typically, after completing a Type I, the expectation is to move into Type II and continue with that on an ongoing basis.
Lliam:
Right. Type I shows what your controls are, and Type II shows you’re actually using them. It’s not just about policies—it’s about proving they work in real life.
Chris:
Exactly. If your business changes significantly, you might reset with a new Type I and then build into a Type II again. That way, you’re ensuring your controls are aligned with your current operations.
Lliam:
Good point. During major IT changes, that’s when risks emerge. Starting with a fresh Type I helps uncover gaps. Having someone like you involved is essential.
Chris:
And it’s important to remember: SOC 2 reports are scoped. You don’t certify your whole business. You define a business process or area, and that becomes the scope. Many organizations have multiple processes that may require separate reports.
Lliam:
What risks do companies face when they try to handle all this internally without bringing in an external auditor?
Chris:
Smaller companies sometimes use the audit as an internal audit function. But in general, SOC reports are the go-to risk management tool. They let your clients see how your controls align with theirs. This interaction is often included in the report as “user control considerations.”
Lliam:
So, it’s a way for service providers to show due diligence to clients or vendors, without having to answer the same security questionnaire over and over again.
Chris:
Right. If you scope your report properly, it can replace the need for repeated audits or 100-question forms. You want your SOC report to be comprehensive enough that your clients don’t feel the need to dig further.
Lliam:
Exactly. We get flooded with security questions from clients and vendors. How does the attestation letter help?
Chris:
That letter—also known as an opinion letter—provides what’s called “reasonable assurance.” It doesn’t mean we tested every single control every day. It means we conducted sufficient testing to reasonably conclude that the controls are in place and operating effectively. It’s a cost-benefit balance.
Lliam:
Like a financial audit. Just because you passed it doesn’t mean someone couldn’t commit fraud tomorrow—but it gives reassurance that the fundamentals are solid.
Chris:
Exactly. It gives user organizations confidence that your business operates with integrity and effective risk management.
Lliam:
What do you see driving companies to pursue SOC 2 compliance? Is it internal motivation or external pressure?
Chris:
It’s both. Some organizations want to be responsible data stewards. But more often, it’s a requirement from clients—especially large enterprises or Fortune 500 companies. If you want to work with them, SOC compliance becomes a “ticket to the dance.”
Lliam:
Do you see clients coming to you because they’re at risk of losing a contract if they don’t get a SOC 2?
Chris:
All the time. But it’s important to view compliance as a process, not an event. It’s best to get on a schedule. For example, do a Type I this year and a Type II the next. Share that plan with your clients. That kind of transparency builds trust.
Lliam:
For companies who are intimidated by SOC 2, what does getting started look like?
Chris:
Sometimes people are overwhelmed and don’t know where to start. That’s where we come in. We begin by asking: What does your organization do? From there, we can help define the scope, suggest a timeline, and predict what will be needed.
Lliam:
You’ve really served as a Sherpa for us—guiding us through the process, helping us refine policies, offering examples, and making it manageable. In our case, the real value wasn’t the certification—it was the collaboration and internal growth.
Chris:
That’s common. The certification is the result, but the real value comes from the process—bringing people together, improving procedures, and aligning with industry standards.
Lliam:
Right. It even impacts culture. Through the audit process, employees become more aware of their role in security. It creates lasting habits.
Chris:
Exactly. A little bit of auditing goes a long way in promoting awareness, identifying what needs to be improved, and embedding controls into everyday processes.
Lliam:
Final question: What advice would you give to someone just starting down this path?
Chris:
Start early. Give yourself more time than you think you’ll need. The first year is especially important—if you’re not rushed, you’ll get much more value from the process. When companies wait too long and try to cram it in, they miss the opportunity for thoughtful, productive work. Start early and pace it out.
Lliam:
Great advice. Chris, thank you so much for sharing your expertise and helping demystify the SOC 2 process. We really appreciate your time.
Chris:
Thank you. Happy to help.
Share:
