Q: How do I communicate my new SOC 2® Report? SOC 2 Certified?
A: MJD Answer
We highly recommend you do not use the phrase “SOC 2 Certified”. Yes, you see it everywhere, and your competitors are celebrating their certificate - but don’t do it because such a thing does not exist. The AICPA goes as far as to say explicitly that you should not use that phrase when referring to your SOC 2 report. Technically, it’s trademark infringement.
There isn’t an auditor jail they throw you in, and well, “everybody else is doing it,” but people will notice and raise an eyebrow toward the seriousness of your program.
And the reason it’s important is that it is foundational to the report. SOC 2 is not a control framework and doesn't offer a required level of security posture. You are reporting on and being audited against your own business objectives - so there’s nothing to certify. This is why the service can be flexible and dynamic to meet the needs of a two-person company or Google.
The best way to think about it is that the auditor is making sure you are doing what you say you will do. Or that the commitments you have made to customers and the trust they have put into you as a company has been subjected to an audit. So instead of saying “SOC 2 Certified,” you might focus on why it was important to the company and its customers and your intentions to continue building a company that prioritizes security and transparency (which, in many ways, is a much more personal touch).
You should also collect and share the official SOC for Service Organizations logo provided by The American Institute of Certified Public Accountants (AICPA). Before you do this, though, read the terms, conditions, and guidelines.
When it comes to communicating a new SOC 2 report, there are a few key steps you can follow to ensure that the information is effectively communicated to your stakeholders. Here are some suggestions:
- Determine your audience: The first step in communicating your new SOC 2 report is to identify your audience. Who needs to know about the report and why? For example, you may need to share the report with customers, investors, or regulatory bodies.
- Choose your communication channels: Once you know your audience, you can choose the best channels for communicating your report. Some common options include email, social media, press releases, and direct mail. Consider the most effective channels for reaching your audience.
- Develop a messaging strategy: Craft clear and concise messaging that highlights the key findings of your report. Your messaging should emphasize the areas of your company's operations that were assessed in the report, and any steps you took to address any issues or concerns raised during the assessment.
- Provide context: Provide context for your report by explaining the importance of SOC 2 compliance and how it aligns with your company's overall mission and values. Help your stakeholders understand the significance of the report in the context of your industry.
- Follow up: After you have communicated your new SOC 2 report, be sure to follow up with your stakeholders to answer any questions they may have. Provide additional resources as needed and be prepared to address any concerns that may arise.
By following these steps, you can effectively communicate your new SOC 2 report to your stakeholders and reinforce your commitment to security and compliance.
Find out why a CPA firm must issue your SOC report and why that's actually a good thing.
Find out why we don't offer SOC 2 readiness assessments, and how we approach the early phases of a SOC 2 report instead.
During the audit process, we might identify gaps or control exceptions, but our role encompasses much more than that.