Meeting the Needs of a Broader User Range
What is a SOC 2 Report?
SOC 2 reports verify how client data is handled and ultimately protected by a service organization in accordance with AT-C 205, Examination Engagements. This report is an assessment of an organization’s controls as they relate to the AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. The report details the service organization’s controls and processes in place to secure client data.
What is the Difference Between a SOC 2 Type 1 vs. Type 2?
Similar to SOC 1 reporting, the difference between reports is relative to time. A Type I report addresses the suitability of the design and implementation of controls at a specific point in time (As of MM/DD/YYY). A Type 2 report addresses the operating effectiveness of controls, but does so over a defined period of time, rather than as of a specific point in time. A SOC 2 Type 2 report opines on controls designed to support that client data is housed in a secure manner, and that internal control processes are efficient, consistent, and documented – thus yielding improved operational performance.
Who is Required to Have a SOC 2 Report?
A SOC 2 audit is a best practice for all service-based organizations that store, manage, or process client information in the cloud. This specifically applies to organizations that provide SaaS and cloud storage services. Further, clients may contractually require a SOC 2 report to gain confidence in an organization’s control environment, specifically focused on security, availability, processing integrity, confidentiality, and/or privacy.
When a service organization is processing or maintaining information that requires a controlled or secure system, it is beneficial to have a SOC 2 report to show clients, prospective clients, and other appropriate parties (i.e., vendor management regulators, external auditors, etc.). This level of independent assurance demonstrates that information is being handled appropriately and that the Company understands the importance of security risks.