SOC 2 Report

Data Storage and Protection Assurances

Lately, trends have created more of a spotlight on security of data and making sure that sensitive information is protected. This SOC 2 report really provides the assurance and the comfort to others that the data being stored within an organization’s infrastructure has the safeguards in place to ensure that that data is secure. It’s governed by the AICPA Trust Services categories, which there are five of. Security, which is referred to as the common criteria, but you can also expand scope into availability, confidentiality, processing integrity, and privacy. Within each category, there are defined criteria that we create control activities to map to. Ultimately the SOC 2 report is a report that can be distributed to clients, prospective clients, business partners to show them that their data or the data that they’re concerned with is secure.

Industries that you typically see a SOC 2 report in span data centers, software as a service, and really any cloud industry. It really is industry agnostic.

SOC 2 reports can be a Type 1 or a Type 2 audit. The Type 1 is at a point in time. We complete our audit procedures over a test of one, and we conclude and validate that the controls are designed and implemented. The report that follows a Type 1 and is a more valuable report is the Type 2. Type 2 is an assurance over a period of time, and that the controls not only are designed and implemented, but also operating effectively during that period of time. The Type 2 is a reoccurring audit, typically on an annual cadence.

Recently, we’ve had more requests around obtaining a SOC 2 Plus audit and providing a SOC 2 plus a different internal control framework report. This is becoming more common and it’s something that we can absolutely do and the AICPA allows. What we see frequently is SOC 2 Plus CMC or SOC 2 Plus ISO, SOC 2 Plus High Trust, or HIPA. It really runs the gamut of frameworks that we can incorporate into your SOC 2, and meets the needs of a larger population of stakeholders within a SOC 2 plus. You can also incorporate additional controls at the request of a stakeholder. It doesn’t necessarily have to be a formalized internal control framework. There’s some flexibility on what additional controls we can incorporate into the report and ultimately provide a third-party independent auditor assurance on.

A SOC 2 Plus report includes an attestation to additional subject matter from industry-specific standards. such as the International Standardization Organization (ISO), National Institute of Standards and Technology (NIST), etc.

A Comprehensive Guide to SOC Reports

Everything your service organization needs to know to maximize internal control value that builds credibility, confidence, and a competitive edge.


Featured Insights


Make Your Future Vision a Reality with SC&H