SOC 2 Examination

PRIMARY CONTACTS: Michael Renzelman CPA (Columbus), Steven Thompson CPA (Pittsburgh), Eric Wright CPA, CITP (Pittsburgh), Donald Owens CPA, CITP, CIA, CFF, CBA, CFSA, CRMA (Columbus)

AT Section 101, Attest Engagements (AICPA, Professional Standards) is the authoritative guidance used to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality and/or privacy.  Such engagements are commonly referred to as a Service Organization Control (SOC) 2 examination.   The AICPA guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM) provides “how-to” guidance for service auditors performing these examinations. SOC 2 examinations are designed for a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability and processing integrity of the systems processing users’ data and the confidentiality and privacy over the data. Use of this report is generally restricted to parties that have knowledge of a service organization’s services and IT environment.

The AICPA Trust Services Principles

Types of SOC 2 Engagements

Readiness Assessment – these reviews are designed to assist service organizations in assessing their preparedness for a SOC 2 examination.  Readiness Assessments are non-attest consulting engagements that are designed to identify gaps in controls and advise the service organization of necessary corrective actions in preparation of the SOC examination.   We work closely with the service organization to ensure mutual agreement on the applicable trust services principles and criteria, as well as the risks significant to user organizations

Type I – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to meet the applicable trust services principles and criteria included in the description as of a specified date.  The SOC 2, Type 1 may be beneficial for organizations that have never completed an examination, as it assesses the design of controls at a specified date. 

Type II – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to meet the applicable trust services principles and criteria throughout the specified period.  The SOC 2, Type 2 examination is typically suggested for organizations that have been through a readiness assessment or previously completed a Type 1 examination, as it assesses both the design and operating effectiveness of controls over a period of time. 

Additional Subject Matter – a service organization may request that the SOC report address additional subject matter that is not specifically covered by the trust services principles and criteria. Examples of such subject matter may include:

  • compliance with certain criteria based on regulatory requirements (i.e, HIPAA, GLBA)
  • compliance with certain criteria based on industry requirements (i.e., Payment Card Industry Data Security Standards (PCI/DSS), American Land Title Association (ALTA) title insurance and settlement company best practices)
  • compliance with performance criteria established in a service-level agreement

Read about SOC 1 and SOC 3 examinations and the overall SOC Practice at Schneider Downs.