SOC 2: Reporting on Controls Relevant to Security, Availability and More

Many entities function more efficiently and profitably by outsourcing tasks or entire functions to other organizations that have the personnel, expertise, equipment, or technology to accomplish these tasks or functions.  Examples of the services provided by such service organizations are as follows:

  • Customer support – online or telephonic post-sales support and service management
  • Sales force automation – providing and maintaining software to automate business tasks for user entities that have a sales force
  • Health care claims management and processing – providing medical providers, employers, third-party administrators, and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentiality
  • Enterprise IT outsourcing services – managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities
  • Managed security – managing access to networks and computing systems for user entities

SOC 2 reports are intended to allow service organizations to meet the needs of a broad range of users that require detailed information and assurance about the controls at a service organization. Controls examined in SOC 2 engagements are those that are relevant to security, availability, and processing integrity of the system the service organization uses to process user entities’ data and the confidentiality and privacy of the information processed by these systems. SOC 2 reports are performed under the Attestation Standards (AT-C) Section 105 and 205, and the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

About SOC 2

These reports play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Similar to a SOC 1 report, there are two types of reports.

A SOC 2 Type 1 report is on management’s description of a service organization’s system and the suitability of the design of controls as of a specific date.

A SOC 2 Type 2 report is on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specific period of time.

Use of these reports is restricted to service organization management, user entity management, and user entity auditors.

Trust Services Criteria

The Trust Services Criteria includes criteria for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy.  Additional information about each of the criteria is included below.

  • Security – The system is protected against unauthorized access, use, or modification.
  • Availability – The system is available for operation and use as committed or agreed.
  • Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA.

Our Approach to Performing SOC 2 Engagements

Choosing Smith & Howard as your partner in completing a SOC 2 engagement benefits your service organization by:

  • Documenting your internal control environment and controls
  • Providing confidence to users of the system
  • Allowing you to meet regulatory and contractual requirements with users

We are here to help you perform a readiness assessment to ensure controls are documented and to gain an understanding of your internal control environment – all of which will provide a smooth and efficient SOC 2 engagement experience.  Our SOC Team has been trained specifically to perform SOC engagements and has the experience, knowledge, and skill to ensure your engagement is seamless.

Back to SOC Overview.

For more information about SOC 2 engagements, please complete the contact form below or call Marvin Willis at 404-874-6244.

Related News and Media

Questions? Contact Us

With real-world CFO experience on our team, we bring a true understanding of the issues C-level executives face.

J. Sean Spitzer

Partner, Assurance Services Leader