A SOC 2 report is an independent examination of a service organization’s controls over its system’s security, availability, processing integrity, confidentiality, and privacy. While organizations are not required by law to meet the requirements of a SOC 2 examination, many SOC 2 reports are required by customers of organizations who are performing certain types of outsourced services for the customer. Organizations are finding it increasingly more efficient to outsource aspects of their operations that are not part of their core business and can be executed more effectively by a third party. These third parties are called service organizations. Service organizations that collect, process, transmit, store, organize, maintain, or dispose of information for other entities may be requested to complete a SOC 2 examination in order for the customer to obtain reasonable assurance that the service organization has controls in place that are designed and operating effectively.
A SOC 2 examination is evaluated based on the Trust Services Principles and the Generally Accepted Privacy Principles. Trust services are a set of professional attestation and advisory services based on a core set of principles and criteria addressing risks and opportunities of IT enabled systems and privacy programs.
Download the presentation: Understanding changes to the Trust Services Principles for SOC 2 reporting
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.