SOC 2
Generate Sales and Retain Customers with a Technical Assurance Report.
You can get more customers and keep current ones by demonstrating you are secure and that customer data is confidential, available and will be processed accurately. We can help ease your customers’ worry about their data security with a Service Organization Controls (SOC) Report.
Service Organization Control 2 Report (SOC 2)
A SOC 2 reporting engagement provides an independent auditor’s attestation related to the controls for a service organization that reflects any and/or all of the company’s security, availability, processing integrity, confidentiality and/or privacy processes. Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. Therefore, a SOC 2 report is often required.
The SOC 2 report results from attestation engagements that use the predefined criteria in the Trust Services Principles, Criteria and Illustrations (from the CICA and the AICPA), and the requirements and guidance in the AICPA’s AT Section 101 “Attest Engagements.”
Similar to a SOC 1 report, the SOC 2 report is issued as either a Type 1 or Type 2 report and provides a description of the service organization’s system. The Type 2 report also includes a description of the tests performed by the service auditor and the results.
SOC 2 reports address any and/or all of the following principles:
Security
- The system is available for operation and use as committed or agreed.
Availability
- The system is available for operation and use as committed or agreed.
Processing Integrity
- System processing is complete, accurate, timely and authorized
Confidentiality
- Confidential information is protected as committed or agreed.
Privacy
- Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
Why does my company need a SOC 2 Report?
- Required for organizations that offer outsourcing services for critical business or IT functions
- Required for organizations that offer outsourcing services that handle sensitive data.
- Used as an effective compliance tool for examining and testing a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls
Scope of SOC 2 Reports
Required
- Data security
Optional
- Data confidentiality
- Data availability
- Data privacy
- Processing integrity
SOC 2 Plus
- HIPAA
- ISO 27001
- NIST
- HITRUST
Common Requirements of SOC 2 Compliance
- Documented Information Security Policies
- Security Tools and Monitoring
- Employee Non-Disclosure Agreements
- Encryption
- Access based on least privilege
- HR Practices
- Well controlled & documented systems development & change management processes
- Vendor Assessments
- Patching, vulnerability scanning, penetration testing
- Security Awareness Training at least Annually
- Backups and Data Recovery Procedures
Latest Technology Consulting Insights
Learn more about our Technology Consulting team’s expertise and ways in which we are helping organizations evaluate regulatory compliance. Our team has experience serving companies that range from startups to Fortune 100 companies in a variety of industries.
What's on Your Mind?
Start a conversation with the team
SOC Insights
EisnerAmper can perform all forms of control attestations (including SOC examinations, such as the SOC 1, SOC 2, SOC 2+ or SOC 3). Our firm performs these engagements across a wide variety of industries allowing the examined organization to distinguish themselves from competitors that do not furnish SOC reports to their client organizations.
