Obtaining a SOC 2 report requires an investment of both time and money for a service organization and, at some point, might seem like more work than it’s worth. However, the advantages to obtaining a SOC 2 report far outweigh the initial investment.
Recently, we have noticed that clients of service organizations are asking for a “SOC” report in general, and not necessarily specifying which type of report they are looking for [i.e., SOC 1 (f. SSAE 16), SOC 2, or SOC 3].
Some of our clients occasionally ask us when it is a good idea to get a SOC 3 report. The answer for most companies is that a SOC 3 is not necessary.
On December 15, 2014, the new SOC 2 Common Criteria took effect. What does that mean for your SOC 2 audit?
The ever-growing emphasis on governance, risk management, and compliance has driven companies to focus on internal controls over all aspects of their operations.
A SOC (Service Organization Control) report is a report on controls at a service organization related to various types of subject matter, for example: controls that affect user entities’ financial reporting; controls that affect the security, availability, and processing integrity of the systems; or the confidentiality or privacy of the information processed for user entities’ clients.
The Trust Services Principles and Criteria (TSP Section 100) has been updated for SOC 2 reports.
In a SOC 2 examination, two of the five Trust Services Principles and Criteria are Privacy and Confidentiality. These two principles can be confusing and may seem to overlap.