SOC 2

Generate sales and retain customers with a technical assurance report.​

You can get more customers and keep current ones by demonstrating you are secure and that customer data is confidential, available and will be processed accurately. We can help ease your customers’ worry about their data security with a Service Organization Controls (SOC) Report.

Service Organization Control 2 Report (SOC 2)

A SOC 2 reporting engagement provides an independent auditor’s attestation related to the controls for a service organization that reflects any and/or all of the company’s security, availability, processing integrity, confidentiality and/or privacy processes. Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. Therefore, a SOC 2 report is often required.

The SOC 2 report results from attestation engagements that use the predefined criteria in the Trust Services Principles, Criteria and Illustrations (from the CICA and the AICPA), and the requirements and guidance in the AICPA’s AT Section 101 “Attest Engagements.”

Similar to a SOC 1 report, the SOC 2 report is issued as either a Type 1 or Type 2 report and provides a description of the service organization’s system. The Type 2 report also includes a description of the tests performed by the service auditor and the results.

SOC 2 reports address any and/or all of the following principles:

Security

  • The system is available for operation and use as committed or agreed.

Availability

  • The system is available for operation and use as committed or agreed.

Processing Integrity

  • System processing is complete, accurate, timely and authorized

Confidentiality

  • Confidential information is protected as committed or agreed.

Privacy

  • Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

Why does my company need a SOC 2 Report?

  • Required for organizations that offer outsourcing services for critical business or IT functions
  • Required for organizations that offer outsourcing services that handle sensitive data.
  • Used as an effective compliance tool for examining and testing a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls

Scope of SOC 2 Reports

Required

  • Data security

Optional

  • Data confidentiality
  • Data availability
  • Data privacy
  • Processing integrity

SOC 2 Plus

  • HIPAA
  • ISO 27001
  • NIST
  • HITRUST

Common Requirements of SOC 2 Compliance

  • Documented Information Security Policies
  • Security Tools and Monitoring
  • Employee Non-Disclosure Agreements
  • Encryption
  • Access based on least privilege
  • HR Practices
  • Well controlled & documented systems development & change management processes
  • Vendor Assessments
  • Patching, vulnerability scanning, penetration testing
  • Security Awareness Training at least Annually
  • Backups and Data Recovery Procedures

Latest Technology Consulting Insights

Learn more about our Technology Consulting team’s expertise and ways in which we are helping organizations evaluate regulatory compliance. Our team has experience serving companies that range from startups to Fortune 100 companies in a variety of industries.

Siegrist-Kate-ab.jpg rod-smith-ab.jpg sean-linton-ab.gif

Kate Siegrist
Partner

Kate Siegrist is a Partner with over 20 years of combined experience advising CEOs, CISOs and CIOs. She helps her clients navigate highly regulated industries to ensure business opportunities are not missed due to compliance burden.

Rod Smith
Partner

Rod Smith is a Partner in the Assurance and Technology Control Services Practice within the Audit Group, with professional services experience in quality assurance of the information technology control assurance portion of financial statement audits.

Sean Linton
Partner

Sean Linton is an Audit Partner providing assurance and technology control services. He specializes in System and Organization Controls (SOC) examinations, risk assessments, and information systems advising and strategy.

John-Fodera-ab.jpg Bodner-Bill-ab.jpg  

John Fodera
Partner

John Fodera is a Partner with over 30 years of audit, accounting and business management experience, including extensive experience in internal controls, privacy compliance, strategic planning, Written Information Security Program (WISP) and process reengineering.

Bill Bodner
Director

xxxJason Juliano is the Director of Digital Transformation and Process Improvement with over 25 years of experience in consulting, emerging technology, digital transformation, innovation and risk management.