SOC 2 audits are primarily aimed at tech companies that provide services and systems to customer companies.
SOC 2 requirements are developed by AICPA for independent assessment of control procedures for risk management in service companies.
Outsourcing companies should be sure that the service provider has a reliable, properly organized and effective internal control system. One of the ways for a service company to provide such information is to engage an independent auditor to make a report on the results of the assessment of the company’s non-financial control procedures.
As part of the SOC 2 audit, information and evidence regarding security, availability, integrity of data processing and/or the service company’s personal data confidentiality is subject to analysis in accordance with SOC 2 Trust Services Criteria (TSC) developed by AICPA’s (American Institute of Certified Public Accountants).
The SOC 2 report is intended for provision to customers, managers and users of service companies. The report shows confidence in suitability and effectiveness of the service company’s controls related to personal data security, availability, integrity of processing and/or confidentiality. The report is usually intended for limited use by existing and potential customers
There are two types of SOC 2 audits and reports:
Type 1 – audit and report completed on the specified date.
Type 2 – audit and report completed for a certain period, usually at least six months.
Entities subject to compliance:
- Companies that provide services to other organizations and want to provide their existing or potential customers with confirmation from an independent party regarding the high quality of their internal processes.
- Outsourcing IT companies.
Internet service companies.
- Companies providing healthcare services.
- Manufacturers of food, pharmaceutical or high-tech products
- Banks and financial companies as an additional advantage of a third-party auditor’s confirmation of the quality of customer personal data processing and general data protection (Security, Confidentiality and Privacy).
SOC 2 TSC define 5 criteria, and service companies must choose which of the five (or all five) criteria are required to reduce key risks to the service or system they provide:
1. General criteria – where information and systems are protected from unauthorized access, unauthorized information disclosure and damage to systems that may compromise availability, integrity, confidentiality of information or systems, and affect the company’s ability to achieve its goals. A mandatory category.
2. Availability – where information and systems are available for work and use to achieve the company’s goals.
3. Processing integrity – where information and systems are available for operation and use to achieve the company’s goals.
4. Confidentiality – where information designated as confidential is protected to achieve the company’s goals.
5. Personal data confidentiality – where personal data is collected, used, stored, disclosed and deleted to achieve the company’s goals.
The SOC2 audit report includes:
- Conclusion on the audit results.
- Approval of the audited company’s management.
- Detailed system or service description.
- Detailed information about the TSC chosen.
- Description of the company’s internal controls tests and test results.
- Optional additional information the company may add to the report.
The SOC2 audit report also shows whether the service copany meets the AICPA TSC requirements.