SOC 2 ReportIncrease Customer Confidence and Trust Through Assurance.
WHAT IS A SOC 2 REPORT, AND WHY DO I NEED ONE?
A System and Organization Controls or SOC 2 report is a formal audit of a service provider’s controls that do not impact their client’s internal controls over financial reporting. Unlike a SOC 1 report which attests to a service provider’s controls that affect the client’s internal control over financial reporting, a SOC 2 report focuses on objectives that impact the client’s operational, non-financial reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a system.
A SOC 2 report follows a set of criteria to examine whether your controls are effective in delivering services to your clients. A SOC 2 report must include at least one of the following five AICPA Trust Services Principles:
- Security – The system is protected against unauthorized physical and logical access.
- Availability –The system is available for operation and used as agreed upon.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality –Information designated as confidential is protected as agreed upon.
- Privacy –Personal information is collected, used, retained, disclosed, and/or destroyed in accordance with established standards.
A SOC 2 report is unique to each company. Since not all principles are needed to provide a service, the review can be limited only to the principles that are relevant to the outsourced service being performed by your organization. As a result, you’ll have the flexibility to choose which principles will be covered by the audit.
In addition to the Trust Services Principles, a SOC 2 report may also include criteria defined by management, industry standards or third parties. The criteria must meet the following basic characteristics:
SIMILAR TO A SOC 1 REPORT THERE ARE TWO TYPES OF SOC 2 REPORTS
Type 1 – The Type 1 report informs your clients and their auditors that your organization has accurately described its systems and controls, that the described controls are in place, and that the controls are designed to accomplish your financial control objectives. This type of report reflects your organization’s controls as of a specific date in time.
Type 2 – The Type 2 report, in addition to providing the same information as the Type 1 report, verifies that the controls are operating as intended, describes the tests your auditors performed to make that determination, and provides the results of those tests. This type of report reflects your organization’s controls over the course of a specific review period.
WHAT IS THE KEY DIFFERENCE BETWEEN A SOC 1 AND A SOC 2 REPORT?
The determining factor when choosing between a SOC 1 and SOC 2 report is whether or not your organization’s controls are relevant to and have an impact on your client’s internal control over financial reporting or ICFR. If the answer is yes, then you need a SOC 1 instead of a SOC 2 report.
Organizations that typically choose a SOC 2 report include:
- Data Centers & Colocation facilities
- Software-as-a-Service (SaaS)
- Document Printing & Production
- Managed IT Services
- Cloud Computing Providers
WHICH SOC REPORT DO I NEED?
The audience of a SOC 1 report is typically the user organization’s CFO, CIO, Compliance Officer, Internal Audit Director and Financial Statement Auditors whereas a SOC 2 report’s audience is typically the user organization’s CFO, CIO, Compliance Officer, vendor management executives, regulators and certain business partners.
HOW CONTROL LOGICS CAN HELP
Our team of experienced certified information security auditors understand the complexities and key differences between each framework and what they mean to your organization. Our goal is to help you achieve compliance quickly and with minimal disruption to your daily business. Our service delivery model is designed to provide an unparalleled client service experience and our friendly audit team takes a collaborative approach towards helping our clients maximize the long-term business value of their audit and compliance activities.
In addition to a streamlined approach, Control Logics offers:
- Competitive, fixed-fee pricing
- Discounts for multi-year contracts
- Reduced on-site fieldwork by using our secure online client portal
- Director-level support and involvement in each phase of the engagement
To see how we can help your organization, contact us today!