SOC 2 Reports

SOC 2 - SOC for Services Organizations using the Trust Services Criteria:  A SOC 2 is an examination engagement to report on a service organizations design and operating effectiveness of controls according to the trust services criteria (TSC).  The TSC includes five criteria in witch a service organization may be reported on.  They are Security, Availability, Processing Integrity, Confidentiality, or Privacy.  All SOC 2 engagement must include the Security criteria at a minimum, and many engagements will include other criteria along with Security (i.e. Security, Availability, & Confidentiality, etc.).  

​

The criteria to be included for a SOC 2 examination should be predicated on the type(s) of systems and services provided to user organizations and the service commitments promised to user entities.  For example, if the service organization has a service commitment to provide services 24/7, then the "availability" criteria may be appropriate along with security. 

​

There are 2 types of SOC 2 reports.  A type 1, SOC 2 report includes a CPA's opinion on managements description of the system and the suitability of the design of controls presented as of a point in time.  A type 2, SOC 2 includes the elements of a type 1 and adds an opinion if the controls operated effectively over a period of time.  To lean more about report types follow the link.

​

SOC 2 reports include the following sections:

​

1. Managements description of the service organization's system.

2. Management's written assertion whether the description is presented in accordance to the SOC 2 description criteria (dc-200).

3. The service auditor's opinion about the description, suitability of design and operating effectiveness of controls.

4. Detail section of tests of controls and the results of those tests

 

SOC 2 reports are a great way for service organizations to demonstrate trust and confidence to current and future customers, stakeholders, business partners, and other interested parties.  

​