Receiving a SOC 2 / AT-C 105 and 205 report provides clients assurance regarding a service organization’s controls that do not affect the clients’ internal controls over financial reporting. One or more of the AICPA Trust Service Principles must be included in a SOC 2 report. These attributes are:
Common Criteria / Security – The system is protected against unauthorized access, physically and logically.
Availability – The system is available for operation and use as committed to or agreed
Confidentiality – Information designated as confidential is protected as committed to or agreed.
Processing Integrity – System processing is complete, accurate, timely and authorized.
Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in GAPP (Generally Accepted Privacy Principles).
Remember that two types of SOC 2 reports exist:
Type I: Test of Control Design Effectiveness (As of a period of time).
Type II: Test of Control Operating Effectiveness (During a period of time).
What Does Elevate Think?
Many times, clients call Type I the policies documentation and Type II the testing phase. Although this is accurate, Type I is more than that as several other audit artifacts are required outside of policies and procedures (e.g. Risk Assessment, Pen Testing etc.) . Elevate helps you navigate through the difference and determine what is the best approach to achieve compliance.