The AICPA's SOC 2 engagement reports on controls at a service organization which are unrelated to financial reporting. The SOC 2 report focuses on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 incorporates predefined criteria as set forth in the AICPA's Trust Services Principles and Criteria (TSPC). This report is a "restricted use" report and intended for:
- Management of the service organization
- Other specified parties (i.e., user entity management, business partners, suppliers, etc.) that have sufficient knowledge and understanding of the service organization, the related controls and TSPC
A SOC 2 report can provide value to many service organizations, especially data centers and cloud computing companies. It can also provide value to banks and any company subject to HIPAA or the Gramm Leach Bliley Act. Whether it's required for compliance or if data security, availability, or privacy are simply an essential element to the ongoing success of your business, a SOC 2 report may be the right solution.
There are two types of SOC 2 reports:
Type 1: Reports on management's description of the service organization's system and the suitability of the design of the controls in meeting the applicable trust services criteria. If the report addresses the privacy principle, the report must also report on compliance with the commitments in the service organization's statement of privacy practices.
Type 2: A Type 2 report goes beyond the Type 1 report to also include a report on the operating effectiveness of controls in meeting the applicable trust service principles. It includes all aspects of a Type 1 report. If the report addresses the privacy principle, the report must also report on compliance with the commitments in the service organization's statement of privacy practices.>
Trust Service Principles and Criteria Link