This is Part-2 of a 3-part blog focused on Service Organization Reports – SOC 1, 2 and 3, one of Wolters Kluwer’s newest CCH ProSystem fx Knowledge Coach titles. This edition’s focus is on SOC 2, while Part 1 focused on SOC 1. Check back tomorrow for information about SOC 3. Knowledge Coach is an integral part of the integrated audit approach, which also includes CCH ProSystem fx Engagement and CCH Accounting Research Manager.
SOC 2® Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that require information and assurance about the controls at a service organization. These reports provide information about the security, availability, and processing integrity of the systems used to process users’ data. They also cover the confidentiality and privacy of the information processed by these systems. SOC 2 engagements use predefined criteria in the Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP 100). Management of an entity also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of such controls.
As a result, these reports can play an important role in oversight of the organization; vendor management programs; internal corporate governance and risk management processes; and regulatory oversight.
In addition, much like a SOC 1 report, there are two types of SOC 2 reports.
- Type 1 report. Management’s description of a service organization’s system and the suitability of the design of controls.
- Type 2 report. Management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
Generally, only parties that have an understanding of the service organization and its controls may use these reports.
Learn more about all-in-one SOC Content today!