SOC 2 Report – Trust Services Principles

The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 16). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. SOC2-Security: The system is protected, both logically and physically, against unauthorized access.Availability: The system is available for operation and use as committed or agreed to.Processing Integrity: System processing is complete, accurate, timely, and authorized.Confidentiality: Information that is designated confidential is protected as committed or agreed.Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

There has been a Major Update to SOC 2 since its initial implementation. Click the following link to learn more about the SOC2+ Additional Subject Matter and how it can be leveraged to reduce overall compliance costs and efforts.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.


Contact Skoda Minotti

Please complete the form below to contact Skoda Minotti for additional information and note any relevant information that may help us fulfill your request.

First Name*

Last Name*Company*Phone*EmailSOC 1 (SSAE 16) Consulting ProjectSOC 1 (SSAE 16) Type ISOC 1 (SSAE 16) Type IISOC 2 (SysTrust)SOC 3 (WebTrust)OtherInterested In Free ConsultationAdditional InfoLead Source

Comments are closed.