What is SOC 2?
Receiving a SOC 2 / AT-C 105 and 205 report provides clients assurance regarding a service organization’s controls that do not affect the clients’ internal controls over financial reporting. One or more of the AICPA Trust Service Principles must be included in a SOC 2 report. These attributes are:
Common Criteria / Security – The system is protected against unauthorized access, physically and logically.
Availability – The system is available for operation and use as committed to or agreed
Confidentiality – Information designated as confidential is protected as committed to or agreed.
Processing Integrity – System processing is complete, accurate, timely and authorized.
Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in GAPP (Generally Accepted Privacy Principles).
Remember that two types of SOC 2 reports exist:
Type I: Test of Control Design Effectiveness (As of a period of time).
Type II: Test of Control Operating Effectiveness (During a period of time).