5 min read
Book a Free Consultation

A Guide To SOC-2 Audits: Considerations for Local Governments 

By Marisa Pangaro

Local government officials face obstacles and roadblocks often when it comes to the paramount issue of keeping their local government networks cybersecure. In the online age we live in, local government institutions should be operating in a digital capacity to ensure government operations run in the most efficient and modern ways possible. However, moving online with the digital transformation of local government workflows brings with it cybersecurity considerations and risks. 

Within local government circles, it is well known that government data breaches, network hacks, and ransomware attacks are at an all time high in the U.S, and SOC-2 is put in place to mitigate and protect against them. SOC-2 is designed to help keep institutions safe in their online environments including security protocols that keep what is called “Trust Service Criteria” safe. 

Keep reading this guide for the full rundown on what SOC-2 compliance is and to learn why it is so important in your municipality. 

What is SOC-2? 

SOC-2 stands for Systems and Organization Controls 2. This was originally created by the The American Institute of Certified Public Accountants (AICPA) in 2010, designed to provide auditors with guidance for evaluating the operating effectiveness of an organization’s established security protocols.

SOC 2 is a security framework which outlines specific guidelines on how organizations should protect customer or constituent data from unauthorized access, security incidents, and other vulnerabilities in the digital realm. The AICPA developed SOC-2 around their established trust services criteria to streamline SOC-2 audits and institution cybersecurity.

Learn about GovInspect, GovPilot’s Cloud-based Property Inspection Software. 

The Five Aspects Of Trust Service Criteria 

Trust service criteria was established to serve as a set of principles that need to be prioritized during the auditing process of vulnerable online networks. Here are the five aspects of trust service criteria and some explanation for what they protect against: 

1. Security

Keeping sensitive, private constituent and government data secure from unauthorized users is the main objective of the security checks outlined in the trust service criteria. Ensuring that only authorized users with permission to access information get their hands on the valuable data is vital to protecting against a data break or hack of your local government network through the cloud

Oftentimes, when a local government network is not secure, it takes months or even years for the municipal government to recover from the damage inflicted by malicious hackers. 

Learn everything you can about The Insider Threat Related to Cybercrime here.

2. Availability

A large part of ensuring SOC-2 compliance is met is guaranteeing that all employees or even constituents who need to interact with the local government online networks are able to do so reliably. Everyone knows that websites can crash, become unresponsive, or freeze while being visited. SOC-2 audits ensure there are protocols in place to keep the local government website working properly at all times so it can be utilized whenever it is necessary. 

Learn about GovPilot’s Government Website Design Tips here. 

3. Processing Integrity

The integrity of government websites must be maintained to be sure that online networks and workflows for the municipality are operating properly and more importantly, as intended. 

Consider our cheat sheet to The Best Automated Workflows for Government.  

4. Confidentiality

Protecting confidential information through limiting access to data storage is vital because local governments handle a lot of time-sensitive, private, even delicate data such as personal information about workers and constituents. Institutions that handle information like this must ensure confidentiality for all customers or constituents in order to maintain the integrity and trust bestowed upon them.

5. Privacy 

Safeguarding all sensitive information against unauthorized users through encryption and cyber secure data storage is the best way to protect the valuable data that governments are entrusted with. 

What Steps Does A SOC-2 Audit Consist Of? 

A SOC-2 audit contains many aspects and steps that are meant to safeguard networks against cybercrime. Here is a list of an SOC-2 audit:  

  • Step 1: Pre-Audit

Controls and attestation reports unique to every organization are run and analyzed through the institution's specific design with its own controls to comply with the established trust services criteria.

  • Step 2: During Audit

An independent auditor is brought into the organization or institution with the objective to verify whether the company’s controls satisfy SOC 2 requirements.

  • Step 3: Post Audit 

After the audit, the auditor writes a report about how well the company’s systems and processes comply with SOC-2 guidelines or standards.

  • Step 4: Audit Report Results 

Every organization that completes a SOC-2 audit receives an audit report, regardless of whether they passed compliance or not, to provide further explanation regarding the results and findings of the audit. 

The audit report results are broken up into four categories which are:

    • Unqualified: The company passed its audit
    • Qualified: The company passed, but some areas require attention and further inspection
    • Adverse: The company failed its audit and must make changes 
    • Disclaimer of Opinion: The auditor doesn’t have enough information to make a fair conclusion on the security of the institution

What Is The Difference Between SOC-2 Type I and Type II

The two audit types require two completely different timelines to be completed, questions to be asked, and information to be analyzed. Here is the difference between the two audit types: 

SOC-2 Type I Reports

  • SOC-2 Type I reports evaluate a company’s controls only at a single point in time. 

These audit types only answer the singular question: Are the security controls designed properly?

SOC-2 Type II Reports 

  • SOC 2 Type II reports assess how those controls function over a long period of time and are viewed as more robust, reliable, and forward-thinking. In general, these audits take longer with a timeline of 3-12 months. 

This audit type answers the question: Do the security controls a company has in place function as intended over time?

Should Your Municipality Run A SOC-2 Type I or II Audit? 

To choose between the two SOC-2 audit types, be sure to consider your goals, cost, and timeline constraints on the analysis. While type I reports are achieved faster, Type II reports offer greater assurance to your customers with a more robust deep dive into the entire framework of cybersecurity in your municipality.

  • GovPilot’s SOC-2 Report Recommendation: 

At GovPilot, we recommend going straight for the SOC-2 Type II report as it may take longer to receive results, it's likely that at some point your municipality will need a Type II report run anyway as they are more thorough. By making the investment and going straight for a Type II report, you can save time and money within your local government.

Learn more about our Government IT Disaster Recovery Plan for Municipal & County Governments here. 

SOC-2 Audits In Conclusion

SOC-2 audits are a relatively new yet extremely necessary part of safeguarding vital information within a local government or other similar institution. If your local government has not yet undergone an SOC-2 audit, it is vital to the cybersecurity of your municipality, government networks, and sensitive data. Book a consultation with GovPilot today to learn more about government management software and how to prepare for an SOC-2 audit. 

SOC-2 Audit FAQs

Why is an SOC-2 audit necessary for governments? 

A SOC-2 audit is a necessity for local governments because there are a number of security threats working to hack into local government servers at all times. The SOC-2 audit ensures that steps are taken to protect government networks from suspicious activity and cyber attacks. 

Who audits SOC-2 compliance?

Independent auditors are brought in to audit SOC-2 compliance and the reports are not run by in-house inspectors. This ensures a fair and unbiased judgment of SOC-2 and cybersecurity compliance within the institution.  

What is analyzed in a robust SOC-2 audit? 

If an SOC-2 audit is conducted properly, these five aspects of trust service criteria are analyzed: security, availability, processing integrity, confidentiality, and privacy. 

Read On: 



Tags: Press Release