SOC 2 Compliance

System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit

SOC 2 compliance

What it is ?

System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles.

The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting”, defines two levels of reporting, type 1 and type 2.

Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

SOC 2 reports focus on how controls fulfil five semi-overlapping categories, called Trust Service Criteria (TSC)

Security
Information and systems are protected against risks that can compromise them and affect the organization’s ability to meet defined objectives.
Availability
Information and systems need to be available when required, so the organization can meet its objectives.
Processing integrity
System processing must provide trustworthy information when authorized, so the organization can achieve its objectives.
Confidentiality
Information can only be accessed by authorized personnel, so the organization can achieve its objectives.
Privacy
Personal information is managed in a way that allows the organization to achieve its objectives.

The content of an SOC 2 audit report should cover:

Data Privacy

ISO 27001:2013 Certificaton

Talk to an expert