SOC 2
There are three standards for Service Organization Controls established by American Institute of Certified Accounting Professionals (AICPA) for determining the suitability of system design and operating effectiveness of information technology (IT) infrastructures: SOC 1, SOC 2, and SOC 3.
What is a SOC 2 audit?
SOC 2 audits, which are not relevant to financial reporting, are in accordance with AT Section 101 and utilizes the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’. The report includes tests of the information systems controls governing the accounting records and other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by management allow financial statements to be fairly presented, in all material respects, and in conformity with the standards.
Two types of SOC 2 reports.
A SOC 2 Type 1 is a written assertion by management of the service organization that describes the service organization’s system. It evaluates the suitability of the design and implementation of the controls as of a specific date. The SOC 2 Type 2 report includes Type 1 criteria and in addition reports on the operating effectiveness of the controls during a specified period of months. In addition it addresses the privacy principle and provides information and the CPA’s opinion about the service organization’s compliance with the commitments in its statement of privacy. The report is for internal use and issued in response to a user’s request; it is not intended for public use. No official SOC 2 certificate is issued for publication.
