A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality and/or privacy. SOC 2 reports are intended to meet the needs of a broad range of users needing detailed information and assurance about an organization’s controls to securely manage and use customer data during business operations.
With the Security category as the foundation for a SOC 2 report, you can optionally choose four additional categories: Availability, Confidentiality, Privacy and Processing Integrity. These additional categories allow you to tailor your SOC 2 report to the services you provide while still adhering to a universal criterion. Including these categories may offer additional assurance to your customers.
Once your organization selects the categories in scope, you can design controls to meet the criteria for each applicable category. This is your opportunity to specify the actions your organization performs. The controls you design help the reader understand how your organization meets the criteria for the chosen SOC 2 categories. These controls typically demonstrate processes for organizational oversight, vendor management, internal governance, logical and physical access and logical security.
After choosing the categories and designing the controls, your organization will decide between a SOC 2 Type 1 or SOC 2 Type 2 examination. See below for additional details on the differences between these reports.
Once you complete your SOC 2 audit, you can distribute the report to specified parties of your choosing. However, the use of these reports is restricted to specified parties and cannot be posted publicly. To address this, the AICPA has designed SOC 3 reports for public distribution. A SOC 3 report is performed in tandem with your SOC 2 report, requiring no additional work for your organization, as all inputs are obtained during the SOC 2 audit fieldwork.
Ready to Get Started? Contact us for more information on our SOC solutions and capabilities.
There are a few important terms to understand when reading a SOC 2 report. Independent Service Auditor refers to the auditor that your organization works with. Service Organization refers to the organization – you! Service/Platform refers to the service you provide your customers.
Section 1: Independent Service Auditors Report
Section 2: Management’s Assertion
Section 3: Management’s Description of the Organization/Service/Platform (i.e., System Description)
Section 4: Information Provided by the Service Auditor (i.e., controls)
Section 5: Other Information Provided by Management (optional)
SOC 2 Readiness Assessment – Plan for a successful SOC 2 examination. Readiness Assessments are non-attest consulting engagements aimed at designing controls, identifying control gaps, and advising corrective actions before a SOC examination. We collaborate with clients to align relevant trust service categories and criteria, addressing risks important to user organizations.
SOC 2 Type 1 – As the Independent Service Auditor, we evaluate 1) the fairness of the presentation of the Service Organization’s system description in accordance with the description criteria and 2) the suitability of the design of the controls to provide reasonable assurance that the Service Organization’s service commitments and system requirements would be achieved based on the trust services criteria relevant to the applicable trust services categories as of a specified date. The SOC 2 Type 1 may benefit organizations that have never completed an examination, since it assesses the design of controls at a specified date.
SOC 2 Type 2 – As the Independent Service Auditor, we evaluate 1) the fairness of the presentation of the service organization’s system description in accordance with the description criteria, 2) the suitability of the design, and 3) operating effectiveness of the controls to provide reasonable assurance that the Service Organization’s service commitments and system requirements would be achieved based on the trust services criteria relevant to the applicable trust services categories over a specified period. The SOC 2 Type 2 examination is recommended for organizations that have had a readiness assessment or completed a Type 1 examination, as it evaluates both control design and operating effectiveness over time. The period of time a SOC 2 Type 2 report covers is typically 12 months but periods as short as 3 months can be used for a first-time report or to meet service commitments.
SOC 2+ – SOC 2 reports are produced under the AICPA’s AT-C Section 105 and AT-C Section 205 standards for attestation engagements. These standards provide a framework for evaluating and reporting on controls at the Service Organization. Additional frameworks can be added and evaluated in the same way we use these standards as a framework for evaluating controls against the applicable SOC 2 categories. Here are a few examples of SOC 2 + reports:
It’s important to note that a SOC 2 + report does not provide any certification. For example, in the case of a SOC 2 + ISO 27001 report, the objective of the Independent Service Auditor is to state whether there was reasonable assurance to determine the Service Organization’s controls met the requirements within ISO 27001, as opposed to providing a certification for ISO 27001. Please browse our SOC report FAQs for more information on the different types of reports available to you.
We also provide SOC 3 examinations and other specialized reports, such as SOC for Cybersecurity and SOC for Supply Chain, to address the risk areas most important to you and your organization.
Not sure if your organization needs a SOC examination? Take our SOC assessment quiz to find out.
“Schneider Downs takes a refreshingly pragmatic approach to SOC2 and other compliance initiatives .”
Recognized for our deep SOC experience and established service model, we are leaders in the field and sought-after speakers on SOC reporting requirements both regionally and nationally. Key benefits of working with Schneider Downs include:
Visit our SOC Resource Library for helpful thought leadership, including case studies and FAQs.
Schneider Downs employs a distinctive approach to SOC reports by blending the expertise of IT, internal audit, and external audit professionals. Our integration of diverse knowledge and project management skills ensures we meet and exceed our clients’ expectations. To ensure our SOC reports meet your needs, we employ a rigorous Quality Control system and have peer reviews completed by external assessors on a regular basis. To explore how we can support your organization, please contact us to get started.
Schneider Downs provides SOC 2 reports to companies in: Atlanta (GA), Austin (TX), Baltimore (MD), Boise (ID), Boston (MA), Burlington (VT), Charleston (SC), Charlotte (NC), Chicago (IL), Cincinnati (OH), Denver (CO), Detroit (MI), Houston (TX), Indianapolis (IN), Las Vegas (NV), Lexington (KY), Little Rock (AR), Los Angeles (CA), Memphis (TN), Miami (FL), Milwaukee (WI), Minneapolis (MN), New Orleans (LA), New York City (NY), Omaha (NE), Philadelphia (PA), Phoenix (AZ), Pittsburgh (PA), Providence (RI), Portland (OR), Richmond (VA), St. Louis (MO), Santa Fe (NM), Seattle (WA), Washington (D.C.) and Wilmington (DE).
DOES YOUR ORGANIZATION NEED A SYSTEM AND
ORGANIZATION CONTROLS (SOC) REPORT?
Email us: [email protected]
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and consulting services to public and private companies, not-for-profit organizations and global companies. We also offer risk advisory, transaction advisory, digital consulting, wealth management, retirement plan solutions and investment banking services. Schneider Downs serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), metropolitan Washington (DC) and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
