SOC 2: Overview

February 23, 2015 Debbie Zaller

What is a SOC 2 examination? How is it different than a SOC 1 examination?

The Service Organization Control (SOC) 2 examination is performed in accordance with AT Section 101 and based upon the Trust Services Principles and Criteria as outlined in TSP Section 100. Similar to a SOC 1 examination, service organizations have the ability to choose between a Type 1 examination or a Type 2 examination. SOC 2 reports differ from SOC 1 reports as a SOC 2 examination reports on the controls that are relevant to one or more Trust Services Principles as opposed to a SOC 1 examination that reports on the controls that are relevant to the user entities’ internal control over financial reporting.

The five Trust Services Principles include defined criteria that are specific to the particular principle. Service organizations should have controls in place designed to meet each of the applicable Trust Services Criteria prior to the SOC 2 examination.

The SOC 2 Trust Principles include:

  • Security – The System is protected against unauthorized access, use or modification
  • Availability - The system is available for operation and use as committed or agreed
  • Processing Integrity - System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality - Information designated as confidential is protected as committed or agreed
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the entity’s commitments and with criteria set forth in GAPP


About the Author

Debbie Zaller

Debbie Zaller is a Principal at Schellman & Company,LLC. Debbie leads the SOC 2 and SOC 3 service line and is also an AICPA SOC Specialist. Debbie has over 15 years of IT attestation experience and currently spearheads Schellman’s SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller
Previous Article
Can a SOC 1 be leveraged for a SOC 2?
Can a SOC 1 be leveraged for a SOC 2?

Technology based service organizations have seen the SOC 2 report gain immense traction over the past coupl...

Next Article
The Value of a Readiness Assessment
The Value of a Readiness Assessment

Readiness Assessments are designed to assist service organizations in assessing their preparedness for diff...