A System and Organization Controls (SOC) 2 report is an independent auditor’s report on internal controls placed in operation at a service organization relevant to the security, availability, processing integrity, confidentiality, or privacy of a system (or service) as of a point in time (a “Type I” report) or covering a period of time (a “Type II” report). A Type I report is commonly the first report issued for a service organization, with the second and following reports being Type II reports. A SOC 2 Type II report usually covers a 6 to 12-month period.

​

The purpose of a SOC 2 is to report on a service organization’s controls over its system (or service) relevant to security, availability, processing integrity, confidentiality, or privacy. These controls achieve one or more of the AICPA Trust Services Criteria. A SOC 2 audit always includes the criteria in the “security” category, which is also known as the “common criteria.” Optionally, a SOC 2 may include the criteria set forth in the availability, processing integrity, confidentiality, and/or privacy categories.

 

SOC 2 engagements must conform to the requirements of certain AICPA attestation standards and interpretations. Such guidance includes:

 

• SSAE 18 (AT-C Sections 105 and 205)—Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C Section 105, Concepts Common to All Attestation Engagements, and AT-C Section 205, Examination Engagements (AICPA, Professional Standards).

​

• SOC 2 Audit Guide—AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

 

The controls addressed by engagements under SSAE 18 and interpreted via the SOC 2 Audit Guide, are those that a service organization implements over the security, availability, or processing integrity of a service organization’s system; the confidentiality of the information that the service organization’s system processes or maintains for user entities; and/or the privacy of personal information that the service organization collects, uses, retains, discloses, or disposes of for user entities.

 

This report meets the needs of a broad range of users who need assurance about controls at a service organization unrelated to financial reporting. You may provide your SOC 2 report to your current and prospective customers.