The AICPA’s SOC 2 report is a new report that addresses the need to provide information and assurance on non-financial controls. It is designed to report on controls that are relevant to the security, availability and/or processing integrity of the systems used by service organizations to process user entities’ data. It can also be used to address the need for assurance on the confidentiality and privacy of the information processed by these systems.
SOC 2 reports will contain the same report elements as SOC 1 reports but will be prepared in accordance with the AT Section 101 attest standard rather than the SSAE 16 standard. Furthermore, the control objectives in a SOC 2 report will be based on the AICPA and CICA’s Trust Service Principles and Criteria, previously used by the WebTrust and SysTrust certifications. These principles are: security, availability, processing integrity, confidentiality or privacy. Like SOC 1 reports, SOC 2 reports are available in a Type 1 and a Type 2 report.
SOC 2 reports are generally a restricted use report. They are designed for management of the service organization, management of the user entities and customers of the service organization as well as suppliers, business partners and others associated with the service organization. The intent of a SOC 2 report is to provide an understanding of the details of the processing and controls at a service organization with the goal of instilling confidence and gaining trust in that service organization’s systems.
Entities seeking to outsource business processes to service organizations such as cloud computing providers, SaaS providers, Internet retailers, health care claims processors and others stand to benefit from the information contained in a SOC 2 report. User management will now have the information they need to help them understand and evaluate the risks associated with an outsourced service being offered by a particular service organization. It is expected that SOC 2 reports will play an important role for user entities in the oversight of a service organization as well as an entity’s vendor management programs, internal corporate governance and risk processes and regulatory oversight efforts.