User entities and organizations want reporting that provides assurance on controls over operations and compliance, rather than just on controls over financial reporting. The AICPA created a framework to enable a broader type of third party attestation reporting on controls at service organizations beyond merely financial reporting. This framework is the Service Organization Control (SOC) reporting framework. The SOC framework has 3 different reporting options: SOC1, SOC2, and SOC3.

SOC 2 reports are appropriate for engagements to report on controls at a service organization related to the Trust Service Principles, defined by the AICPA in TSP Section 100. The Trust Service Principles are:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

SOC 2 engagements are performed in accordance with AT section 101, Attestation Engagements, using guidance in the AICPA Guide, Reporting on Controls at the Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. Five "trust service principles" - security, availability, processing integrity, confidentiality and privacy.





Related links

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization

Read More


Praesent nec nisl a purus blandit viverra. Praesent ac massa at ligula laoreet iaculis. Nulla neque dolor, sagittis eget, iaculis quis, molestie non, velit. Mauris turpis nunc, blandit et, volutpat molestie, porta ut, ligula.