A System and Organization Control 2 or SOC 2 report is given to a service organization after it demonstrates that it has sufficient internal controls in place for its information systems so that they follow one or more of the Trust Services Principles and Criteria. These criteria usually apply to organizations that do store or process information for their customers such as cloud hosting companies, Software as a Service (SaaS) companies or data processing companies.
Depending on their client’s requirements, the service organization must demonstrate that it has internal controls in place to meet at least one or more of the Trust Service Principles and Criteria, listed below
- Security
- Availability
- Processing Integrity
- Information Confidentiality
- Privacy of Personal Information
Clients usually use these reports to demonstrate to that service providers that they using comply with the Trust Service criteria and that any data collected by them is safe and secured from prying eyes.
By obtaining a SOC 2 report from an auditing agency, you can demonstrate to your client that your internal controls for your information systems are in place and effective.
The SOC 2 report is made up of two parts, Type I and Type II, each of which delivers a different value to your clients.
SOC 2 Type I
The Type I report is usually issued after a basic audit which includes an overview of your company’s information systems and the controls you have in place to ensure compliance to the Trust Principles and Criteria. The auditing agency also comments on the suitability of these controls for the services being provided and the clients using them. The Type I report provides no assurances on the effectiveness of internal controls and can only be seen as mile marker on the road of compliance.
A SOC2 Type I report can issued in very little time if your organization is ready. To demonstrate how good your compliance is, you will need your SOC2 Type II report.
SOC 2 Type II
The Type II report is in a way an extension of the Type I report issued earlier. However, the Type II report is only issued after an assessment of the controls is carried out over a longer period of time, typically six months. It is the Type II report that your clients really want to see and requires complete commitment from your organization to complete a SOC Type II audit successful. The SOC2 Type II report contains all the details of the tests carried out by the auditor and your organization’s performance in those tests. This assures your clients that you are complying to the Trust Services Principles and Criteria laid out for information companies.
Companies do find it difficult to determine the correct kind of control for their size since implementation of effective controls is a time and resource consuming task. Good planning and implementation is key to completing the SOC2 Type II audit and ensuring compliance for your customers.