Skip to content

SOC 2 Audit Reports

SOC 2

Whereas SOC 1 Auditscomprise internal controls over financial reporting, SOC 2 audits focus on controls at a service organization relevant to 5 Trust Services Principles and Criteria issued by The American Institute of Certified Public Accountants (AICPA). 

The 5 Trust Services Criteria from the AICPA

Security

Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. 

Security refers to the protection of: 

 i. Information during its collection or creation, use, processing, transmission, and storage and

ii. Systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removals of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.

Availability

Information and systems are available for operation and use to meet the entity's objectives. 

Availability refers to the accessibility of information used by the entity's systems, as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance. 

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. 

Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity. 

Confidentiality

Information designated as confidential is protected to meet the entity's objectives. 

Confidentiality addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries).

Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding the collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. 

Privacy

Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. 

Although confidentiality applies to various types of sensitive information, privacy applies only to personal information. 
The privacy criteria are organized as follows:  

i.   Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy. 

ii.  Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects. 

  1. Collection. The entity collects personal information to meet its objectives related to privacy.

iv.  Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy. 

v.   Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy. 

vi.  Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy. 

  1. Quality. The entity collects and maintains accurate, uptodate, complete, and relevant personal information to meet its objectives related to privacy.
  2. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.
SOC Cliff Notes_Cover

Download our "Cliff Notes" for a Better Understanding of SOC 1, SOC 2, and SOC 3 today.

SOC 1 vs. SOC 2

Learn about the differences between a SOC 1 audit and a SOC 2 audit below.

What Type of SOC Audit Do You Need_social

Combine your SOC 2 Audit Report to: 

  • Improve compliance with industry regulations.
  • Reduced risk of security incidents.
  • Improve security assurance for customers and partners.
  • Increase efficiency and cost savings.

SOC 2 + CSA STAR

We combine a SOC 2 and CSA STAR report to demonstrate companies have met the security requirements of both standards.

SOC 2 is a well-known and established standard for security, while CSA STAR is a cloud-specific standard that focuses on security controls for cloud service providers. By combining the two reports, you'll have a comprehensive approach to security,  compliant with both industry standards.

 

 


SOC 2 + HITRUST

The combination of a SOC 2 and HITRUST Certification can be a valuable tool for healthcare companies that want to illustrate their commitment to security. 

HITRUST is a more comprehensive framework than SOC 2, and it includes requirements for security, privacy, and compliance with specific regulations.

To learn more about complementary compliance solutions, reach out to our team below.

Learn More