SOC 2 Examinations

Primary Contact: Eric M. Wright CPA, CITP

SOC 2 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy.  

With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

The 2017 AICPA Trust Services Categories

Types of SOC 2 Engagements

Readiness Assessment - these reviews are designed to assist service organizations in assessing their preparedness for a SOC 2 examination. Readiness Assessments are non-attest consulting engagements designed to identify gaps in controls and advise the service organization of necessary corrective actions in preparation for the SOC examination. We work closely with the service organization to ensure mutual agreement on the applicable trust services categories and criteria, as well as the risks significant to user organizations.

Type 1 - reports on fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to meet the applicable trust services categories and criteria included in the description as of a specified date. The SOC 2 Type 1 may be beneficial for organizations that have never completed an examination, since it assesses the design of controls at a specified date.

Type 2 - reports on fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to meet the applicable trust services categories and criteria throughout the specified period. The SOC 2 Type 2 examination is typically suggested for organizations that have been through a readiness assessment or previously completed a Type 1 examination since it assesses both the design and operating effectiveness of controls over a period of time.

Additional Subject Matter

A service organization may request that the SOC report address additional subject matter that is not specifically covered by the trust services categories and criteria. Examples of such subject matter may include:

  • SOC for Service Organizations: SOC 2 HITRUST
  • SOC for Service Organizations: SOC 2 CSA STAR Attestation
  • Compliance with certain criteria based on regulatory requirements (i.e., HIPAA, GLBA)
  • Compliance with certain criteria based on industry requirements (i.e., Payment Card Industry Data Security Standards (PCI/DSS), American Land Title Association (ALTA) title insurance and settlement company best practices)
  • Compliance with performance criteria established in a service-level agreement

Additional SOC Services

SOC Resources

About Schneider Downs SOC Services

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.

Does your organization need a system and organization controls (SOC) report?

take a free assessment quiz

case studies
 
Company impacted by ransomware.
big problem:
Company impacted by ransomware.
big thinking:
Restore system on-site and avoid six-figure ransom.
read more
 
Inefficient tax credit realization.
big problem:
Inefficient tax credit realization.
big thinking:
Identified a $900,000 tax credit, nearly twice as much as prior years.
read more
See more case studies
our thoughts on

Tis the Season: Unwrapping the Top Holiday Scams of 2023

Learn about some of the top online scams circulating this holiday season.

read more >

Fraud Week 2023: Frauds of the Rich and the Famous

Learn more about ACFE International Fraud Week and explore famous fraud cases including FTX and the Fyre Festival.

read more >

2024 Cost-of-Living Adjustments for Retirement Plans and IRAs

Learn more about the 2024 cost-of-living-adjustments for retirement plans and IRAs.

read more >

Think Before You Click: Fake Browser Updates are Back in Style

Learn more about the resurgence of one of the oldest malware attack methods in the book: the fake browser update.

read more >

The SEC ‘Names Rule’: Unpacking the Impacts to ESG Funds

Learn more about the impact of the SEC's amendment to the Investment Company Act of 1940 on ESG naming conventions.

read more >
Have a question? Ask us!

Have a question? Ask us!

We'd love to hear from you. Drop us a note, and we'll respond to you as quickly as possible.
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

contact us

Pittsburgh
Columbus
Metropolitan Washington
follow us
client portal