SOC 2 Compliance

Assurance for You, Confidence for Your Customers

Contact Us

What is a SOC 2 Report?

The System and Organization Control (SOC) 2 examination reports on one or any combination of the AICPA’s Trust Services Criteria including Security, Availability, Processing Integrity, Confidentiality, and Privacy. It demonstrates an organization’s commitment to its customer requirements and cybersecurity best practices.

Purpose and Use

The SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization. The report can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

The report can be distributed to an organization’s stakeholders including user entities, CPAs providing services to such user entities, regulators, and business partners.

AICPA Trust Services Principles

Organizations have the ability to choose one or a combination of the five AICPA Trust Services Criteria depending upon their customer needs:

  1. Security – The system is protected against unauthorized physical and logical access.
  2. Availability – The system is available for operation and used as agreed upon.
  3. Processing Integrity – System processing is complete, accurate, timely and authorized.
  4. Confidentiality – Information designated as confidential is protected as agreed upon.
  5. Privacy  Personal information is collected, used, retained, disclosed, and/or destroyed in accordance with established standards.
Who Needs a SOC 2 Report?

Organizations that should consider a SOC 2 report include Cloud Service Providers (e.g., SaaS, IaaS, PaaS), enterprise systems housing third party data, IT systems management and data center colocation facilities. If you want to communicate your organization’s controls are properly designed, implemented and operating effectively, then the SOC 2 report may be right for you.

Benefits of a SOC 2 Report

Obtaining a SOC 2 report provides assurance to prospective and current clients that you have procedures and controls in place to provide reliable services, which will differentiate your organization during the sales process. Additional benefits include:

  • Increased trust and transparency with your internal and external stakeholders
  • Reduced cost of compliance and number of on-site audits
  • Helps ensure controls are appropriately designed and operating effectively to mitigate risks
  • Satisfaction of audit requirements

Types of SOC 2 Reports

Type 1 Report

The SOC 2 Type 1 Report (referred to as a point-in-time report), includes an opinion over the suitability of the design of controls at the service organization at a specific point in time. An initial type 1 report often serves as the starting point for subsequent type 2 reviews.

Type 2 Report

The SOC 2 Type 2 Report (referred to a period of time report) includes an opinion over the suitability of the design of controls at the service organization and the operating effectiveness of the controls throughout a specified period of time. This type of report is often issued annually.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires
  • SOC clients spend 75% less time spent on internal resources needed to pass audit
  • 40% of BARR’s reports are delivered early
  • Proven practical, adaptive approach that simplifies SOC reporting processes
  • Team members serve on task forces responsible for developing SOC reporting standards
  • Competitive, fixed rates to accommodate growing enterprises

Client Testimonials

Recent Blog Posts

The 5 SOC 2 Trust Services Criteria Explained

| Cybersecurity Auditing, Security and Compliance, SOC Reporting | No Comments

So what goes into a SOC 2 report, anyway? There are five trust services criteria (TSC) that can be included in a SOC 2 report: security, availability, confidentiality, processing integrity,…

How to Leverage ISO 27001 to Obtain a SOC 2 Report

| ISO27000, SOC Reporting | No Comments

If your organization has scaled to work with clients in and outside of the U.S., you might be curious about the benefits of a compliance framework that meets both national…

BARR is 1 of 9 Firms in the U.S. Eligible to Perform Audits Against ISO 27001, SOC 2, and HITRUST

| HITRUST, ISO 27001, SOC Reporting | No Comments

BARR is proud to say that we are one in nine firms in the U.S. eligible to perform audits against all three highest regarded frameworks: ISO 27001, SOC 2, and…

Starting your SOC 2 Examination? Avoid These 4 Common Mistakes Before Your Audit

| SOC Reporting | No Comments

Committing to a System and Organization Control (SOC) 2 examination is an exciting endeavor. Your SOC 2 report can differentiate your organization as one who takes the security of your…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

At BARR, we are committed to guiding you through the engagement process.

Learn what to expect with your engagement lead from kickoff to final deliverable and everything in between.

Connect

After we connect on a 30-minute call to determine your needs, BARR will send a proposal within one day to confirm our understanding. We guarantee client satisfaction or don’t pay us.

Readiness

The readiness assessment provides three deliverables to assess your readiness to begin the audit: System Scope, Prioritization of Gaps, and Key Controls. This is accomplished as follows:

  • Readiness Meeting #1: You will meet your BARR engagement manager, share your system demo, and confirm scope and expectations.
  • Readiness Meeting #2+: In this 2+ hour meeting, we will review your key processes such as change management, access management, and vulnerability management.
  • Readiness Meeting #3: A debrief meeting to confirm the three readiness deliverables.

Remediate & Engage: You will correct your gaps prior to starting the audit period. An engagement letter with the agreed audit period is signed.