SOC 2 Compliance

The SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization. The report can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

The report can be distributed to an organization’s stakeholders including user entities, CPAs providing services to such user entities, regulators, and business partners.

Organizations have the ability to choose one or a combination of the five AICPA Trust Services Criteria depending upon their customer needs:

1. Security – The system is protected against unauthorized physical and logical access.
2. Availability – The system is available for operation and used as agreed upon.
3. Processing Integrity – System processing is complete, accurate, timely and authorized.
4. Confidentiality – Information designated as confidential is protected as agreed upon.
5. Privacy – Personal information is collected, used, retained, disclosed, and/or destroyed in accordance with established standards.

Organizations that should consider a SOC 2 report include Cloud Service Providers (e.g., SaaS, IaaS, PaaS), enterprise systems housing third party data, IT systems management and data center colocation facilities. If you want to communicate your organization’s controls are properly designed, implemented and operating effectively, then the SOC 2 report may be right for you.

Obtaining a SOC 2 report provides assurance to prospective and current clients that you have procedures and controls in place to provide reliable services, which will differentiate your organization during the sales process. Additional benefits include:

• Increased trust and transparency with your internal and external stakeholders
• Reduced cost of compliance and number of on-site audits
• Helps ensure controls are appropriately designed and operating effectively to mitigate risks
• Satisfaction of audit requirements