SOC 2 Reports
SOC 2 - SOC for Services Organizations using the Trust Services Criteria: A SOC 2 is an examination engagement to report on a service organizations design and operating effectiveness of controls according to the trust services criteria (TSC). The TSC includes five criteria in witch a service organization may be reported on. They are Security, Availability, Processing Integrity, Confidentiality, or Privacy. All SOC 2 engagement must include the Security criteria at a minimum, and many engagements will include other criteria along with Security (i.e. Security, Availability, & Confidentiality, etc.).
​
The criteria to be included for a SOC 2 examination should be predicated on the type(s) of systems and services provided to user organizations and the service commitments promised to user entities. For example, if the service organization has a service commitment to provide services 24/7, then the "availability" criteria may be appropriate along with security.
​
There are 2 types of SOC 2 reports. A type 1, SOC 2 report includes a CPA's opinion on managements description of the system and the suitability of the design of controls presented as of a point in time. A type 2, SOC 2 includes the elements of a type 1 and adds an opinion if the controls operated effectively over a period of time. To lean more about report types follow the link.
​
SOC 2 reports include the following sections:
​
-
Managements description of the service organization's system.
-
Management's written assertion whether the description is presented in accordance to the SOC 2 description criteria (dc-200).
-
The service auditor's opinion about the description, suitability of design and operating effectiveness of controls.
-
Detail section of tests of controls and the results of those tests
SOC 2 reports are a great way for service organizations to demonstrate trust and confidence to current and future customers, stakeholders, business partners, and other interested parties.
​