What is a SOC 2 examination? How is it different than a SOC 1 examination?
The Service Organization Control (SOC) 2 examination is performed in accordance with AT Section 101 and based upon the Trust Services Principles and Criteria as outlined in TSP Section 100. Similar to a SOC 1 examination, service organizations have the ability to choose between a Type 1 examination or a Type 2 examination. SOC 2 reports differ from SOC 1 reports as a SOC 2 examination reports on the controls that are relevant to one or more Trust Services Principles as opposed to a SOC 1 examination that reports on the controls that are relevant to the user entities’ internal control over financial reporting.
The five Trust Services Principles include defined criteria that are specific to the particular principle. Service organizations should have controls in place designed to meet each of the applicable Trust Services Criteria prior to the SOC 2 examination.
The SOC 2 Trust Principles include:
- Security – The System is protected against unauthorized access, use or modification
- Availability - The system is available for operation and use as committed or agreed
- Processing Integrity - System processing is complete, valid, accurate, timely, and authorized
- Confidentiality - Information designated as confidential is protected as committed or agreed
- Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the entity’s commitments and with criteria set forth in GAPP
About the AuthorMore Content by Debbie Zaller