SOC 2 reports
Two types of SOC 2 reports
The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (Security, Availability, Processing Integrity, Confidentiality or Privacy), as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.
- 2-Control performs a SOC 2 Type 1 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.
- A SOC 2 Type 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.
In order to maintain an SOC 2 Type 2 report, an annual recurring audit is conducted, comparing whether the organization concerned has worked according to the procedures described and whether the measures have worked effectively during the previous year.
The SOC 2 Type 1 report gives an evaluation:
- to what extent the description of the system of the IT service organization, including the internal control measures, gives a true and accurate view of the reality, and
- to what extent the design of the internal control measures is adequate.
The SOC 2 Type 2 report adds:
- to what extent the internal control measures have worked effectively over a period of time.