4813 BA Breda
T: +31 (0) 76 50 194 70
More and more companies use IT service organizations for their automated data processing. In view of the increasing importance of data security more and more companies are asking those same service organizations for forms of assurance. This creates a growing need for assurance reports specifically for IT service organizations.
SOC 2 report
SOC stands for Service Organization Control. A SOC2 report is an assurance report about the IT security, availability, processing integrity, confidentiality or privacy meant for IT service organizations.
SOC 2 audits are targeted at any organization that provides services and systems to client organizations. The client company may ask the service organisation to provide an assurance audit report, particularly if confidential or private data is being entrusted to the service organisation. A SOC 2 audit is often a prerequisite for service organizations to partner with or provide services to tier-one organizations in the supply chain.
SOC 2 reporting is available in 2 types:
- A SOC2 Type 1 Assurance is a report carried out on a specified date and focusses on the way an organization designs their processes and internal controls.
- A SOC2 Type 2 Assurance is a yearly repeated audit, testing the operating effectiveness of these processes and internal controls. The SOC2 report is more extensive than most other traditional certifications like ISO 27002, because those traditional certifications only focus on the design of processes and internal controls
A SOC 2 report contains the following elements:
- Management statement
- Independent service auditors'assurance report
- A detailed description of the system or service
- The principles, criteria and performed tests, including the results of testing (optional for a type 1 assurance)
- Optional additional information provided by the service organization which has not been audited by the auditor
SOC 2 vs. ISAE 3402
The financial statements are the starting point for an ISAE 3402 report. A SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems (Trust Service Principles).
In the end, the client's demand is decisive for which report is chosen. What does the client ask for and where does the client want certainty about? And for what purpose? An assurance report is never an obligation, but it can lead to more effective cooperation and more trust between supplier and customer.
How can 2-Control help you
We can help you with the full SOC audit process. Do you want more information about this assurance statement? Our accredited IT auditors will be happy to get in touch with you. Leave your details in the contact form on the right and we will contact you.