Docy Child


Estimated reading: 10 minutes 800 views

Developed by the American Institute of Certified Public Accountants (AICPA) in response to the ongoing move to cloud computing, a SOC 2 Report attests to the ability of a service organization’s internal controls to manage client data in a secure and trustworthy manner. This independent report, issued by a CPA firm, attests to the results of a comprehensive audit that focuses on system-level controls that process clients’ data. This is in contrast to a SOC 1 report, which focuses on financial reporting controls.

Generally, when someone asks if you have a “SOC 2” they are referring to a SOC 2 Type 2 Service Auditors report that includes the Security and Availability Trust Services Criteria. A SOC 2 Type 2 report covers the design and documentation of controls and provides evidence as to how the organization actually operated the documented controls over an extended period of time (usually a year).

When a service organization undergoes a SOC 2 audit, they specify whether the auditor will perform a SOC 2 Type 1 or SOC 2 Type 2 audit. A SOC 2 Type 1 report attests to the design and documentation of a service provider’s controls and procedures as of a specific date. However, the SOC 2 Type 1 report does not cover the actual operation of the controls.

Like a SOC 2 Type 1 report, a SOC 2 Type 2 report covers the design and documentation of controls. A SOC 2 Type 2 report also provides evidence as to how the organization actually operated its controls over a period of time (usually six months or more). It is important to note that the scope of the controls covered in a SOC 2 Type 1 versus SOC 2 Type 2 report could be the same. That is, a Type 2 report is not inherently more stringent than a Type 1 report. The key difference is whether controls are examined “on paper” at a point in time or in operation over a period of time.

The SOC 2 Trust Services Criteria (formerly called the SOC 2 Trust Services Principles) are the full set of criteria that can potentially be included in a SOC 2 examination. The latest Trust Services Criteria are required to be used in any SOC 2 report issued on or after December 15, 2018.

There are currently five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. Of these five, only Security is mandatory to be covered in every SOC 2 examination.

The others can be covered or not based on their applicability to the service being offered. Each of these five criteria include many other criteria, and there is significant overlap among them.

Trust Services Criteria (TSC) are the domains or scope covered in a SOC 2 report. Not all TSCs are required. In fact, only the common criteria are required (also referred to as the Security TSC). Other TSCs should be added to a report to answer common risk-related questions received from clients or to address risks facing the company and its unique service offering. For example, if the availability of healthcare data is extremely important to a service offering, then the availability criteria may be included in the SOC 2 report in addition to the security criteria.

We have had prospective clients say they wanted all of the TSCs included within their SOC 2 report because they wanted it to be the strongest report possible. While the logic makes sense, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable.

We have heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that are applicable to your services and answer the risk-related questions you hear most from your clients and prospective clients.

The Trust Services Criteria are noted below:

  • Security – The system is protected against unauthorized access (both physical and logical). Examples of commonly reviewed SOC 2 security controls relate to the restriction of logical access within the environment to authorized individuals. Also, security configurations such as password complexity, MFA, and branch protection rules.
  • Availability – The system is available for operation and use as committed or agreed. The availability criteria require that a company documents a DR and BCP plan and procedures. In addition, it requires backups and recovery tests to be performed.
  • Confidentiality – Information that is designated “confidential” is protected according to policy or agreement. In many cases, this covers business-to-business relationships and sharing of PII or sensitive data from one business to another.
  • Processing Integrity – System processing is complete, accurate, and authorized. Processing integrity may be relevant to companies that process transactions such as payments or errors made by your company such as flawed calculations or processing could impact your clients’ financials or significant processes. If processing integrity is relevant and included in a SOC 2 report, the auditor will review evidence that processing is complete and accurate and errors related to processing are identified and corrected.
  • Privacy – The privacy criteria should be considered when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.” It’s important to note that the privacy criteria apply to personal information. This differs from the confidentiality criteria which applies to other types of sensitive information.

Privacy Versus Confidentiality Criteria

There are numerous flavors of privacy requirements in place throughout the world. Some such as GDPR and CCPA apply to all citizens in a particular area and give protections to all citizens in that area. Currently, privacy requirements in the United States follow a sectoral approach where laws apply to industries or types of data rather than a standard approach for all citizens.

The AICPA’s privacy criteria are applicable only if your company deals directly with data subjects and collects data such as PII from those data subjects as part of the service.

The collection of email and contacts for marketing purposes by companies is not typically enough to warrant the inclusion of the privacy criteria. In many cases, a company is entrusted with PII or sensitive data by another company that is actually doing the data collection. This is considered confidentiality by the AICPA (B2B data sharing). If your company collects data directly from consumers the privacy criteria may be relevant. Processing integrity is unique to each company if it’s relevant because no two companies process their transactions in the exact same manner.


As SOC 2 is not a standard but a report, there is no SOC 2 “compliance” per se. Instead, you need to pass a technical audit that determines whether your organization has created, has documented, and is following a wide range of policies and procedures that encompass the Security Trust Services Criteria and any other criteria that are within the scope of your audit.

For many service organizations, the Security criteria are of primary interest to their clients and other stakeholders. Therefore, the scope of a SOC 2 examination, and thus the requirements for SOC 2 “compliance,” might only include the Security criteria.

SOC 2 Report is an independent report, issued by a CPA firm, that covers a service organization’s internal controls that relate to securing and managing client data.

A SOC 1 report focuses on financial reporting controls rather than security controls.

The American Institute of CPAs (AICPA) specifies the components of a SOC 2 report and what information each component needs to include. But it does not specify a format for SOC 2 reports. This allows auditors to organize their reports as they see fit.

Here is an example SOC 2 report created by the AICPA for illustrative purposes. An actual SOC 2 Type 2 report would address different criteria and include different controls and tests of controls specific to the organization being audited.

Unlike some other information security standards like PCI DSS that have very specific requirements, the policies, procedures and technical controls you need to put in place to comply with SOC 2 are unique to each organization.

A company designs its own controls, in line with its business practices, to comply with the relevant SOC 2 Trust Service Criteria.

SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.

Type I SOC 2  reports are dated as of a particular date and are sometimes referred to as point-in-time reports. A Type I SOC 2 report includes a description of a service organization’s system and a test of design of the service organization’s relevant controls. A Type I SOC 2 tests the design of a service organization’s controls, but not the operating effectiveness.

Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.


Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. There are some companies that perform SOC 2 audits and have a CPA firm sign off on their report even though the CPA firm did not perform the audit. We recommend staying away from that approach. We also recommend selecting a firm that has experienced IT auditors and not financial audit CPAs only. When selecting a firm to perform a SOC 2, we recommend asking for the resumes or bios of any of the auditors that will complete the work. Then, ensure the firm you select has auditors with the appropriate skills and expertise. Certifications such as CISA or CISSP are good to look for. Also, check references and ensure the firm you select has experience in the field you are in.


On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated SOC 2 criteria.

A SOC 2 is not a certification, but it’s commonly referred to as one. You do not get a certification at the end of the audit, rather you get an audit report with either a clean report opinion or a qualified opinion.

A clean report opinion simply means all is well, the auditors have a positive view on your organization’s controls. This is the end goal every company wants! A clean SOC 2 report!

A qualified opinion report on the other hand is exactly what you think it is. It is the auditor’s negative view on your organization’s controls. The auditor may have identified some inconsistencies and irregularities as part of the audit and negatively concludes on the operational effectiveness of the controls. This is not the wanted outcome.

The answer is yes, however, based on the nature and complexity of the organization, alternative equivalent of a BOD can be used to demonstrate compliance with the requirement.

This can include the presence of an Executive Committee or council or Senior Management Team

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.