What Is SOC 2 and Do Australian Companies Need It?

December 19, 2023

Three years ago, most Australian technology companies could respond to a SOC 2 request with a well-written security questionnaire and a copy of their ISO 27001 certificate. That response is increasingly insufficient. US enterprise buyers and global platforms have standardised on SOC 2 as a baseline procurement requirement, and the expectation that an Australian vendor can substitute an alternative is diminishing. Understanding what SOC 2 is and what it takes to achieve it has become a practical business question, not an abstract compliance exercise.

The confusion is understandable. SOC 2 is not a standard in the sense that ISO 27001 is a standard. It is an attestation framework with specific audit requirements, and the terminology used around it, such as "compliance", "certification", and "passing", is not always used accurately. Getting clear on what SOC 2 actually is makes it easier to plan for it and to explain it to customers.

What SOC 2 Is

SOC 2 stands for System and Organisation Controls 2. The framework was developed by the American Institute of Certified Public Accountants and defines criteria for assessing the security, availability, processing integrity, confidentiality, and privacy of a service organisation's systems. A SOC 2 audit is conducted by a licensed CPA firm, which issues a report expressing an opinion on whether the organisation's controls meet the applicable Trust Services Criteria.

The output is a report, not a certificate. The security criterion is mandatory for all SOC 2 engagements. The remaining criteria (availability, processing integrity, confidentiality, and privacy) are selected based on the commitments the organisation makes to its customers. A SaaS company that processes personal data and commits to uptime guarantees would typically include security, availability, and confidentiality at a minimum. The report describes the organisation's systems, the controls in place, and the auditor's findings, including any exceptions to operating effectiveness.

When Australian Companies Need It

Not every Australian company needs SOC 2. The framework is primarily driven by US market demand and by US-headquartered global companies that require it from their vendors regardless of where those vendors are based. If your customers are primarily Australian domestic enterprises or government agencies, ISO 27001 and the Essential Eight are more likely to appear in procurement requirements than SOC 2.

The scenarios where SOC 2 becomes a genuine commercial requirement for Australian companies typically include: selling SaaS or data services into US enterprise, partnering with US platforms that require SOC 2 from all API integrations, seeking investment from US venture capital firms that include SOC 2 in due diligence checklists, and operating in sectors such as financial technology, health technology, or data analytics where global enterprise buyers apply US-derived procurement standards globally. We have worked with Australian companies in open banking and financial data services who encountered SOC 2 requirements from their first US customer engagement. Waiting until a deal is at risk to start the process is not a position anyone wants to be in.

What the Process of Achieving SOC 2 Involves

A SOC 2 programme starts with defining the scope: which systems, services, and data environments will be covered by the report. The scope determines the controls that need to be assessed and the evidence that will be gathered during the audit. Once scope is defined, the organisation needs to document its control environment, implement any controls that are missing, and begin generating the operational evidence that a Type II report requires.

The audit itself is conducted by a licensed CPA firm. For a Type II report, the auditor observes the organisation's controls over an agreed period, typically six to twelve months, testing a sample of evidence for each control to determine whether it operated effectively. Common areas of testing include access provisioning and de-provisioning records, change management logs, vulnerability scan results and remediation records, incident logs, and backup testing documentation. The auditor issues a report with an opinion and, if applicable, a description of any exceptions found during the testing period.

How Long It Takes and What It Costs

For an organisation starting from a reasonable technology foundation, a SOC 2 Type II programme typically takes 9 to 14 months from programme start to report issuance. The observation period accounts for most of that time. The cost varies depending on the scope of the audit, the complexity of the system environment, and the amount of control build-out required before the observation period can begin. CPA firm fees for the audit itself are a significant component, but the internal and advisory effort to prepare the control environment is often the larger investment.

Organisations that approach SOC 2 as a documentation exercise and try to compress the process typically encounter two problems: the controls are not genuinely operating when testing begins, which produces exceptions in the report, and the report period is short enough that buyers question its relevance. A credible SOC 2 programme requires genuine control operation over a meaningful period. We have helped Australian fintech and data services companies achieve their first SOC 2 Type II reports within 11 to 14 months, and in each case the report reflected a control environment that was functioning as described.

To discuss whether SOC 2 is the right framework for your organisation and what a programme would involve, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?