SOC 2 Audits

SOC 2 Whereas with SOC 1 audits, management determines the criteria for an audit, A SOC 2 audit has predefined control criteria that were established by Accountants Institute of Certified Public Accountants (AICPA).  Having a standard of criteria by which to audit and then applied the same to all service organizations allows two or more service organizations to be compared against each other.  Just as in SOC 1, there is a Type 1 and a Type 2 report in a SOC 2 audit.

 

Because management determines the criteria in a SOC 1 audit, one service organization cannot be compared to another service organization because a SOC 1 audit does not use identical auditing criteria and therefore a comparison is not available.  SOC 2 audits are designed to allow comparison with other service organizations so user organizations can have better and more useful information when selecting who to do business with.  SOC 2 audits provide user organizations that outsource various operations a way to make sure their data, processes and information are secure and safe.

 

SOC 2 audits provides service organizations a way to let their clients know that their data, processes and information are secure and safe and also lets them know that you are constantly monitoring this by having semi-annual or annual audits performed.

 

SOC 2 audits report on controls at a service organization relevant to one or more of the following attributes; Security, Availability, Processing Integrity, Confidentiality and Privacy.

 

These engagements follow much more stringent audit requirements.  This is a higher level of assurance.

 

Similar to a SOC 1 audit, the report provides a description of the service organization’s system.  It also reports on the tests that were performed using the AICPA predefined set of criteria, over a specified period of time, by the service auditor and what the results of those tests were.

Information on SOC 3 audits.