User entities and organizations want reporting that provides assurance on controls over operations and compliance, rather than just on controls over financial reporting. The AICPA created a framework to enable a broader type of third party attestation reporting on controls at service organizations beyond merely financial reporting. This framework is the Service Organization Control (SOC) reporting framework. The SOC framework has 3 different reporting options: SOC1, SOC2, and SOC3.
SOC 2 reports are appropriate for engagements to report on controls at a service organization related to the Trust Service Principles, defined by the AICPA in TSP Section 100. The Trust Service Principles are:
SOC 2 engagements are performed in accordance with AT section 101, Attestation Engagements, using guidance in the AICPA Guide, Reporting on Controls at the Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
SOC 2 Type 1 report delivers a description of your organization’s system and its ability to meet the relevant criteria set by the Trust Services Criteria at a specific date in time. This is used to endorse that the necessary controls are in place on the particular day of the audit. Type 1 report just provides a report of procedures / controls an organization has put in place as of a point in time.
SOC 2 Type 1 report details the suitability of the design controls to the service organization’s system. It details the system at a point in time particularly its scope, the management of the organization describing the system, and the controls in place. Key to this report is its ‘as of’ date meaning it deals with the specifics of a system within a particular point in time. The auditor will base his or her report on the description of the controls and review of documentation around these controls. SOC 2 Type 1 report is particularly helpful to service companies as it can make them more competitive. It gives potential customers the assurance that a service organization has passed the said auditing procedure, and that their data is safe if they work with the SOC 2-compliant company.
There is an increased customer demand for SOC 2 Type 1 report as cybercrime cases mount. Companies now want to work with vendors who can prove that they can manage or handle sensitive data well. This report is now considered a necessity for companies handling customer data like healthcare firms and financial institutions
Type 2 reports include a description of your organization’s system along with the results of the auditor’s tests, as related to the Trust Services Criteria over a period of time. In addition, a Type 2 report gives a historical view of an organization’s environment to determine if the organization’s internal controls are designed and operating effectively.
A Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time. It is important to understand that there are not more stringent control requirements in a Type 2 SOC Report; but rather, it describes how a company's control environment operated over its audit period (typically not less than six months).
SOC 2 Type 2 compliance gives a level higher of assurance compared to SOC 2 Type 1. To be able to comply with this requirement, a company should pass a thorough examination of its internal control policies and practices over a particular period of time by an auditor.
With SOC 2 Type 2 report, a service firm can send a powerful message to potential customers that it applies the best practices on data security and control systems. Service entities with this compliance stand to bag more contracts from bigger firms.
Like SOC 2 Type 1 report, SOC 2 Type 2 looks at the five trust principles of data processing and storage– availability, confidentiality, security, privacy, and processing integrity.
Both reports tackle the reporting controls and processes of a service organization related to the five trust principles of data. Moreover, pursuing compliance to SOC 2 whether type 1 or type 2 is voluntary.
In a Type 1 audit, the report covers the design effectiveness of internal controls as of a specific point in time, like September 30, for example. The report only covers the effectiveness of the internal controls designed to meet the service provider’s objectives. It also affirms the suitability of the said controls to the accomplishment or attainment of the objectives.
On the other hand, a SOC 2 Type 2 audit report covers a longer period of time. This can range from six to 12 months although the most common period is 12 months. It tackles the design of internal controls and its operating effectiveness over time to achieve set objectives.
Because of the coverage of a SOC 2 Type 2 report, it also follows that it takes more time and effort for service providers to prepare for it. There is no need to wait for full controls to be in place.
Yet the additional time and resources devoted for compliance to SOC 2 Type 2 yields more value to companies. It tells what a service provider is actually doing to protect sensitive data of its customers. It also appeals to prospective customers and other stakeholders such as partners and insurance firms.
What Our Customers Say?
Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.