Welcome to MJD Advisors

The short answer - there is no minimum or prescribed requirements for SOC 2. The AICPA has designed SOC 2 as a conceptual framework that requires you to determine system objectives, identify risks to meeting those objectives and implement controls designed to mitigate those risks. 

For a first-time SOC 2, what we look to focus on are the controls that will meet the expectations of your customers and business partners. All of the clients we work with are trying to do the right things, but need some help enhancing their documentation and processes or identifying the most effective methods of achieving those expectations. You are about to provide these individuals a new level of transparency about your organization and we want to help you provide an accurate, high quality report that you submit with pride.

There isn’t a specific minimum period that is prescribed by the AICPA. The minimum length of the scope period is a business decision and should be of a length of time that demonstrates the controls operated effectively and will be of value to the users of the report.

Generally, as the focus of SOC 2 is on customers, we encourage clients to have some dialogue with a critical customer or prospect that is requesting the SOC 2. Ask them the question - we are considering a 3 month type 2 scope period - will this meet your needs or do you have other expectations? They may ask you “what is a scope period” or they may tell you they would like to see 6 months. Ultimately, we believe it’s important to be transparent during planning so you have confidence a report that will provide you with value will be produced.

Potentially. Penetration testing can be a valuable control, but the requirement is driven by the expectations of customers and business partners. 

There are also many options in the market that present themselves as penetration tests and tools that can be used to conduct the exercise internally - which all produce a range in cost and value. Our focus is helping you understand these options and making the right selection for what you need.

Not necessarily. We believe the risk and business needs should drive these decisions (not the compliance examination). 

Of course, if you have committed to an annual penetration test and it has been 14 months since one was completed - that’s likely something that should be a priority. Otherwise we will work with you on the best report presentation option if this isn’t a control we are able to test during the type 2 scope period.

The service was created by CPA’s…  or more specifically the American Institute of Certified Public Accountants (AICPA) so they get to set the rules.

But keep in mind, the CPA profession is viewed as one of the most trustworthy in the world and has the infrastructure in place for auditing, reporting and oversight. Like every occupation, CPA’s are being forced to evolve and SOC 2 created an incredible opportunity for people like us to work closer with the IT community. However, the need for a CPA is limited to the individual that signs the report and we happen to have one of those. Also, while we respect the CPA profession a great deal - we don’t believe you need to be a CPA to understand SOC or provide education on cybersecurity.

We believe the most critical time during a project is the planning phase. We like to get aligned with our client before a scope period begins on the key controls and evidence that will be tracked to document control operation. We also set very clear expectations for what will be expected from the clients staff (and from our team) during the project so that everyone is held accountable. 

We’re fortunate at MJD, because a focus on planning and expectations allows us to avoid the surprise “extra bill”. Generally, the only time additional costs are necessary is when a client does not invest in the process or respect the time of our team. Incomplete responses, exceptions and findings or a lack of transparency are the areas that most commonly result in additional services. These projects are always uncomfortable and keep us from being our best (for you and our other clients) which is why we would prefer to exit the relationship at the appropriate time, instead of making “extra bills” a normal occurrence.