Overview of SOC 2 Reports and Updated Trust Principle Criteria

A SOC 2 attestation focuses on an organization’s controls in areas such as operations and compliance. It is performed in accordance with AT Section 101: Attest Engagements, and this report is generally best suited for financial services, health care and other technology-based entities heavily reliant on cloud computing and online systems for day-to-day operations.

A key element of SOC 2 reports is the inclusion of one or more trust service principles, based on a framework put forth by the American Institute of Certified Public Accountants (AICPA).  These principles, one or more of which can be specified by the organization’s management team for use in a SOC 2 report, include:

  • Security. This means that the system is protected against unauthorized access, use or modification, in accordance with the organization’s business commitments and system requirements.
  • Availability. This means the system is readily available for operation and use.
  • Processing integrity. This means that system processing has been found to be accurate, complete, timely and valid.
  • Confidentiality. This means confidential information is protected.
  • Privacy. This means all personal information is collected, used, retained, disclosed and destroyed within the boundaries of the organization’s business commitments and system requirements.

Like its SOC 1 cousin, SOC 2 reports can be drafted as Type 1 (management’s description of the organization’s system and suitability of the design of controls) and Type 2 (management’s description of the organization’s system, and suitability and operating effectiveness of design of controls). This report provides valuable, third-party validation that the organization is meeting all criteria underlying one or more of the five trust service principles. While organizations can share a SOC 2 report with key stakeholders – such as customers, regulators, suppliers and directors – broader use is restricted. This report can serve to enhance confidence in management’s oversight of these systems and internal controls.

Last fall, AICPA updated its trust service principles and criteria, which contained a number of significant changes, primarily around eliminating redundant criteria and clarifying procedural language.

The new trust service principles and criteria took effect for reporting periods ending on or after December 15, 2016.

Please contact us for more information on SOC reports or other business accounting issues.

April 25, 2017