SOC 2 Audit Report: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
A SOC 2 audit is similar to a SOC 1 audit but focuses instead on the effectiveness of internal controls as they relate to non-financial data. This type of audit is also conducted by an independent CPA firm and results in two reports similar to those conducted under a SOC 1 audit. The first report (a Type I report) reviews the effectiveness of the service organization’s internal control system and the suitability of the design of the controls as they pertain to non-financial data. The Type II report reviews the operating effectiveness of those controls.
A SOC 2 audit report which is delivered to the service organization, must include information related to at least one of AICPA’s trust service principles:
- IT security
- Processing Integrity
The audit can examine the protection of the organization’s internal control system against unauthorized access, its availability for use as intended, assurance that the data processed by the organization is comprehensive and accurate, that it meets agreed-upon confidentiality policies and that it meets similar privacy requirements including under Generally Accepted Privacy Principles.
Similar to the benefits provided by a SOC 1 audit, a SOC 2 audit delivers a competitive and marketing advantage to service organizations, and increases the perceived trust and reliability by clients that the service group can serve as effective stewards of its non-financial data and transactions.
Learn more about CBM’s full suite of System and Organization Control (SOC) Audits including SOC 1 audits. Contact Senior Vice President Dan Weaver to discuss how CBM can help your service organization.