Service Organization Controls 2 : Conveying Trust and Confidence
Service Organization Controls 2 (SOC 2) is a report issued under AICPA standards that allows Deloitte & Touche LLP to provide an opinion on management's assertion about the security, availability, processing integrity, confidentiality or privacy of a service organization's services or systems.
How can a SOC 2 report help my organization?
If you have a need to provide some level of assurance to your customers about your services or systems, a SOC 2 report, which provides a description and evaluation of your processes and controls, can be used to communicate and build trust with your customers by providing them with an understanding of the matters they care about most.
SOC 2 reports are similar in structure and general approach to a SOC 1 or SSAE 16 reports (previously SAS 70):
- An option for issuing a Type 1 or Type 2 report. A Type 1 report covers only the design of controls, while a Type 2 report covers the design and operating effectiveness of controls
- An assertion by management
- An opinion on management's assertion issued by a service auditor
- A description of the service organizations procedures and controls
- A description of control objectives, control activities and the tests of controls.
SOC 2 reports differ from SOC 1 reports in several respects:
- Do not cover processing or internal controls over financial reporting, and are not intended to support activities related to financial reporting by user organizations.
- Potentially can be issued to a wider audience. Intended recipients are management of the service organization, user entities, and other “specified parties.” Specified parties are those who understand the nature of the services being provided by the service organization, how the service organization operates, and the related internal controls.
- Often provide more detail throughout the report; management's description of controls, the control activities, the tests of controls, etc.