Let's Talk SOC! Baking Edition
Updated: May 31
Anyone who knows me knows I love a good analogy when tying the real world to different technology, security, or GRC concepts. Some of them land pretty well; some of them don't. When chatting with a customer recently about the difference between a SOC2 type 1 versus a type 2, I realized it's similar to making a cake. 🎂
When you have a type 1, that's your recipe. It's a point in time. You’re hoping that you’ve designed the recipe (controls) effectively to get your ideal cake. Thus accomplishing operating design.
When you have a type 2, that's when you actually start mixing and baking. That's over a span of time and requires a little bit more work and definitely a lot more patience. That's your operating effectiveness. In theory, if you’ve designed your recipe correctly, and executed your steps, your cake will come out correctly.
Anyone who’s baked knows that isn’t the case. Sometimes you come out with the cake as expected (unqualified opinion). Sometimes you come out with an item that is baked but has lots of room for improvements yet still edible (qualified opinion)!
What are opinions, you ask? 🤔
That is the final “grade” an auditor gives in the report. An unqualified opinion is when the auditor states that controls appear to be designed and operating effectively. Can there still be deviations or instances where the auditor notices some controls didn’t operate as expected? Yes! One, that’s not the end of the world. It just means the deviations identified were not significant enough to warrant a major concern around the effectiveness or there were other safeguards in place.
Think of a perfectly cooked cake but the icing is ugly but everything is edible. A qualified opinion means controls did not appear to be designed or operating effectively and there appeared to be no other safeguards in place to make up for that. Is it the end of the world? Absolutely not. Qualified opinions are definitely more common than you think; it just means your systems need a little more love to ensure things are in regular working order.
You acknowledge those improvements, make a game plan, and live to learn another day cause it's all about consistency and improvement. There are two more opinions that can be issued: disclaimer and adverse. To be honest, these are pretty rare but they do happen.
To sum them both up quickly, a disclaimer is when there was not enough information provided to provide an opinion; an adverse opinion is when the auditor is not able to rely on or trust the controls in the system.
Let’s be honest, every cake doesn't come out perfectly every time. In that same vein, your systems won’t operate at 100% all the time (nothing does)! Sometimes exceptions or deviations will be noted in your report and that just shows you have room to grow and there is no shame in that. Always be kind to yourself and your systems throughout your audit journey; we all have to start somewhere!
Here’s a picture of my qualified opinion cake. Very ugly and needs a lot of work, but still edible, I promise! Next up, I'll be making a ByteChek cake so stay tuned
Other related articles: