SOC 2®
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality, and privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls.
5 Trust Services Criteria (TSC) for SOC 2® Reports
These reports can form an important part of stakeholders:
- Oversight of the organization
- Vendor management program
- Internal corporate governance and risk management processes
- Regulatory oversight.
The Two Types of SOC 2® Reports
A Type 1 report, reports on management’s description of a service organization’s system and the suitability of the design of controls. These reports may be restricted in use. A Type 2 report, reports on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.