Data Storage and Protection Assurances
What is a SOC 2 Report?
Lately, trends have created more of a spotlight on security of data and making sure that sensitive information is protected. This SOC 2 report really provides the assurance and the comfort to others that the data being stored within an organization’s infrastructure has the safeguards in place to ensure that that data is secure. It’s governed by the AICPA Trust Services categories, which there are five of. Security, which is referred to as the common criteria, but you can also expand scope into availability, confidentiality, processing integrity, and privacy. Within each category, there are defined criteria that we create control activities to map to. Ultimately the SOC 2 report is a report that can be distributed to clients, prospective clients, business partners to show them that their data or the data that they’re concerned with is secure.
Who Typically Has a SOC 2 Report?
Industries that you typically see a SOC 2 report in span data centers, software as a service, and really any cloud industry. It really is industry agnostic.
What is the Difference Between a SOC 2 Type 1 vs. Type 2?
SOC 2 reports can be a Type 1 or a Type 2 audit. The Type 1 is at a point in time. We complete our audit procedures over a test of one, and we conclude and validate that the controls are designed and implemented. The report that follows a Type 1 and is a more valuable report is the Type 2. Type 2 is an assurance over a period of time, and that the controls not only are designed and implemented, but also operating effectively during that period of time. The Type 2 is a reoccurring audit, typically on an annual cadence.
What is a SOC 2 Plus Report?
Recently, we’ve had more requests around obtaining a SOC 2 Plus audit and providing a SOC 2 plus a different internal control framework report. This is becoming more common and it’s something that we can absolutely do and the AICPA allows. What we see frequently is SOC 2 Plus CMC or SOC 2 Plus ISO, SOC 2 Plus High Trust, or HIPA. It really runs the gamut of frameworks that we can incorporate into your SOC 2, and meets the needs of a larger population of stakeholders within a SOC 2 plus. You can also incorporate additional controls at the request of a stakeholder. It doesn’t necessarily have to be a formalized internal control framework. There’s some flexibility on what additional controls we can incorporate into the report and ultimately provide a third-party independent auditor assurance on.
A SOC 2 Plus report includes an attestation to additional subject matter from industry-specific standards. such as the International Standardization Organization (ISO), National Institute of Standards and Technology (NIST), etc.
Additional SOC Resource
Download our eBook, “A Comprehensive Guide to SOC Reports” to learn additional pertinent and valuable information around SOC examinations, report types, finding the right auditor, and much more. If you’d like to discuss how our team can help with your SOC audit needs, please contact us.