Men shake hands in a corporate office building

Amid the always evolving landscape of cybersecurity risks and technological threats, organizations are constantly faced with various pressing concerns. Is our clients’ data secure? Is the data maintaining its integrity throughout the transactional process? Will the data be readily available in situations of potential downtime? These questions, amongst many others, can be addressed by undergoing a System and Organizational Controls (SOC) 2® examination.

What is a SOC 2 report?

A SOC 2 report evaluates the design and operating effectiveness of internal controls of a service organization and is focused on the systems that capture, store, transmit or process customer data. The primary focus of the SOC 2 relates to data security, which is one of five trust services categories established by the American Institute of Certified Public Accountants (AICPA). Additional categories can be included within the SOC 2 report. These additional categories include availability, processing integrity, confidentiality and privacy.

AICPA trust services categories

Security – information and systems are protected against unauthorized access 
Availability – information and systems are available for operations to meet the service organization’s objectives 
Processing Integrity – system processing is complete, valid, accurate, timely and authorized to meet the service organization’s objectives
Confidentiality – information designated as confidential is protected to meet the service organization’s objectives 
Privacy – personal information is collected, used, retained, disclosed and disposed of to meet the service organization’s objectives 

The security, availability, and processing integrity categories are related to the system, and the confidentiality and privacy categories are related to the information processed by the system.

SOC 2 report value

The SOC 2 report is utilized to inform external stakeholders, which often includes compliance officers, CIOs/CISOs, vendor risk management professionals, potential business partners, and other executives who oversee governance functions. Information that can be obtained via the SOC 2 report includes the systems, processes and internal controls at a service organization that are critical to meeting the organization’s service commitments and system requirements.

While SOC 2 has traditionally focused on technical aspects of data security, the 2018 Trust Service Criteria (TSC) updates now also allow organizations to demonstrate their commitment to integrity and ethical values, as well as governance and oversight, by aligning the TSCs with the 17 principles of the COSO framework. Organizations can now not only add insight into the technological procedures and controls within their organization, but they can also demonstrate the efforts being taken organization-wide to address data security risks.

Key components for internal stakeholders
  • improved information security practices, governance and oversight 
  • reasonable assurance that internal controls related to data security are designed and operating effectively and mitigating the risks posed to the organization
  • enhanced visibility into information security practices by the board and executive management 
Key components for external stakeholders
  • assurance that a third-party service organization is protecting the organization’s data 
  • efficient and effective vendor risk management  
  • understanding of the service organizations service commitments and system requirements 

For more information on this topic, contact our team or tell us about your SOC reporting needs.

Executives meet to discuss compliance
Next up

Corporate compliance and the Department of Justice’s continued enforcement