A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm, which opines on the design or operating effectiveness of a service organization’s controls and whether one or more of the following five (5) defined criteria and/or principles have been achieved: security, availability, processing integrity, confidentiality and/or privacy.
- The SOC 2: AT101 (SOC 2) report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization’s ability to maintain a controlled environment; formerly a SAS 70 report was issued for such service organizations. The SOC 2 report demonstrates to a service organization’s clients the ability of the organization to be independently assessed against one or more of the five (5) AICPA Trust Services Principles:
- Security: The system is protected against both physical and logical unauthorized access.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.
A SOC 2 report, in addition to one or more of the AICPA Trust Services Principles, may also include criteria defined by management, industry standards or third parties. The criteria must meet the following basic characteristics: