What does a SOC 2 audit include?

June 25, 2020 by Author

Table of Contents

1 What does a SOC 2 audit include?
2 What do SOC 2 reports look for?
3 Who can issue a SOC 2 report?
4 What is included in a SOC 2 Type 2 report?
5 Who should review SOC reports?
6 Who needs a SOC 2 report?
7 What do you need to know about SOC 2 compliance?

What does a SOC 2 audit include?

The SOC 2 report evaluates a business’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system. In the SOC 2 audit report, the auditor will provide a written evaluation of the service organization’s internal controls.

Who needs a SOC 2 audit?

Who needs a SOC 2 report? Organizations that need a SOC 2 report include cloud service providers, SaaS providers, and organizations that store client information in the cloud. A SOC 2 report proves a client’s data is protected and kept private from unauthorized users.

What do SOC 2 reports look for?

The 5 possible covered criteria are: Privacy, Security, Confidentiality, Integrity and Availability. Service provider management is allowed to select which criteria they want included in the report, and once again you should make sure your specific concerns are addressed.

What is soc2 compliance checklist?

This SOC 2 checklist lays out the infrastructure, software, people, processes, and data that will be evaluated during the SOC 2 audit process, including what your auditor will specifically be looking for. A SOC 2 report is a far-reaching document that can affect many areas of organizational governance.

Who can issue a SOC 2 report?

CPA
A SOC 2 audit can only be performed by an auditor at a licensed CPA firm, specifically one that specializes in information security. SOC 2 audits are regulated by the AICPA.

Are SOC 2 reports mandatory?

System and Organization Controls for Service Organizations 2 (SOC 2) compliance isn’t mandatory. No industry requires a SOC 2 report. Not only do many companies expect SOC 2 compliance from their service providers, but having a SOC 2 report attesting to compliance confers added benefits, as well.

What is included in a SOC 2 Type 2 report?

Type II SOC 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.

What it is SOC 2 compliance?

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.

Who should review SOC reports?

Vendor SOC reports should always be reviewed as part of your company’s vendor management program. They not only provide valuable information about the vendor’s internal controls but also, depending on the results and opinion of the report, can help to identify a vendor that will provide a high level of service.

How do I prepare for a SOC 2 audit?

Best Practices for Preparing for A SOC 2 Audit

Create Up-to-date Administrative Policies. Administrative policies and standard operating procedures (SOPs) are a cornerstone to any security program.
Set Technical Security Controls.
Gather Documentation and Evidence.
Schedule an Audit with A Reputable Auditing Firm.

Who needs a SOC 2 report?

SOC 2 is the most sought-after report in this domain and a must if you are dealing with an IT vendor. It is quite common for people to believe that SOC 2 is some upgrade over the SOC 1, which is entirely untrue. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC):

Why a SOC 2 Type 2 report is important?

SOC 2 reports -both Type I and Type II-specifically address issues related to security, availability, processing integrity, confidentiality, and privacy. This information is highly relevant to companies seeking an LSP for translating sensitive information.

What do you need to know about SOC 2 compliance?

Security: The system is protected,both logically and physically,against unauthorized access.

Availability: The system is available for operation and use as committed or agreed to.

Processing Integrity: System processing is complete,accurate,timely,and authorized.

What does SoC stand for in audit?

SOC stands for: System and Organization Controls. An organization that has passed an audit of internal controls, policies, and procedures by an independent certified public accountant is SOC audit certified. SOC 1 Report is a report on controls relevant to user entities’ internal control over financial reporting.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.