SOC 2: AT 101 Services
Auditing Internal Controls: Type 1 and 2 SOC 2 Reports
A SOC 2 is best utilized when a company seeks to provide assurance of their controls to their clients that do not affect the clients’ internal controls over financial reporting.
The SOC 2 report is used as an attestation report, which opines on an assertion from management, of the service organization’s controls that may affect their user entities’ security, availability, processing integrity, confidentiality and/or privacy, and must be issued by an independent Certified Public Accounting (CPA) firm.
Our audit teams have experience performing SOC 2 examinations for a multitude of industries and service offerings including:
- Collocation & Managed Services
- Outsourced Information Technology Services
- Cloud Services
- Data Centers
- Internet Service Providers
- Web Hosting Providers
- Application Service Providers (ASP)
- Infrastructure as a Service (IAAS) Providers
- Health Care Practice Management
A-lign is able to provide SOC 2 examinations to companies outside the U.S. that do business with companies in the U.S.
Type 1 SOC 2 Examination
A type 1 SOC 2 examination is a report that evaluates the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls in meeting the applicable criteria of the AICPA Trust Service Principles.
Type 2 SOC 2 Examination
A Type 2 SOC 2 examination provides a report similar to a Type 1 SOC 2 report, but also includes:
- The service auditor’s opinion on the operating effectiveness of the controls in meeting the applicable criteria of the AICPA Trust Service Principles.
- A description of the service auditor’s tests of the operating effectiveness of the controls and the results of those tests.
The completion of a SOC 2 report means that your customers can view a report, completed by a third-party CPA firm, which reviews the description of your organization’s system, the suitability of the design of your controls, and provides an opinion from the auditor, on the fairness of the presentation of the aforementioned description and suitability of control design.
Receiving an unqualified SOC 2 report signifies the validity of your controls to your customers and potential customers, providing them with the necessary assurance needed to feel confident in your company’s processes.
Service organizations must select one or more of the following AICPA Trust Service Principles to be included in their SOC 2 report:
- Security: This principle refers to the protection of the system from unauthorized access (both logical and physical).
- Availability: This principle refers to the accessibility to the system, products, or services as advertised or committed by contract, service-level, or other agreements.
- Processing Integrity: This principle refers to the completeness, accuracy, validity, timeliness, and authorization of system processing.
- Confidentiality: This principle refers to the system’s ability to protect the information designated as confidential, as committed or agreed.
- Privacy: This principle refers to personal information that is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles (GAPP) issued jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
In addition to one or more of the AICPA Trust Services Principles, a SOC 2 report may also include criteria established by management, third parties, or other industry standards, such as ISO 27001, HIPAA, or PCI DSS. The criteria must meet the following basic characteristics:
Organizations may choose to use the criteria for SOC 3 engagements, their own privacy statement, or include compliance standards such as ISO 27002.
A detailed description of the trust service principles can be found here: AICPA’s Trust Service Principles.
A-lign can perform a SOC 2 examination that can comprise the following deliverables:
- Management’s assertion
- A-lign’s opinion on management’s assertion
- Management’s description of its system and criteria used
- A-lign’s tests of operating effectiveness and the results of those tests (Type 2 SOC 2 Reports only)
Please call 1-888-702-5446 for further information, or contact us here.