SOC 2 – Type 2
SOC 2 reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy. SOC 2® reports are examination engagements performed by a service auditor (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Questions & Answers).
SOC 2® reports specifically address one or more of the following five key system attributes:
(i)Security – The system is protected against unauthorized access (both physical and logical);
(ii)Availability – The system is available for operation and use as committed or agreed;
(iii)Processing integrity – System processing is complete, accurate, timely and authorized;
(iv)Confidentiality – Information designated as confidential is protected as committed or agreed;
(v)Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants. [The criteria in GAPP are the same as the criteria for the privacy principle in TSP section 100.] Use of a SOC 2® report is generally restricted.
The two types of SOC 2® reports are:
Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls;
Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.