This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Service Organization Controls 2 : Conveying Trust and Confidence


Service Organization Controls 2 (SOC 2) is a report issued under AICPA standards that allows Deloitte & Touche LLP to provide an opinion on management's assertion about the security, availability, processing integrity, confidentiality or privacy of a service organization's services or systems.

How can a SOC 2 report help my organization?
If you have a need to provide some level of assurance to your customers about your services or systems, a SOC 2 report, which provides a description and evaluation of your processes and controls, can be used to communicate and build trust with your customers by providing them with an understanding of the matters they care about most.

SOC 2 reports are similar in structure and general approach to a SOC 1 or SSAE 16 reports (previously SAS 70):

  • An option for issuing a Type 1 or Type 2 report. A Type 1 report covers only the design of controls, while a Type 2 report covers the design and operating effectiveness of controls
  • An assertion by management
  • An opinion on management's assertion issued by a service auditor
  • A description of the service organizations procedures and controls
  • A description of control objectives, control activities and the tests of controls.

SOC 2 reports differ from SOC 1 reports in several respects:

  • Do not cover processing or internal controls over financial reporting, and are not intended to support activities related to financial reporting by user organizations.
  • Potentially can be issued to a wider audience. Intended recipients are management of the service organization, user entities, and other “specified parties.” Specified parties are those who understand the nature of the services being provided by the service organization, how the service organization operates, and the related internal controls.
  • Limited to addressing criteria established by the AICPA (or other recognized body). Unlike SOC 1 reports where management specifies the objectives and controls. The one exception is for SOC 2 reports which cover privacy. These engagements would also need to include the service organization's privacy policy, which would obviously vary from organization to organization.
  • Often provide more detail throughout the report; management's description of controls, the control activities, the tests of controls, etc.

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options

Stay connected