Services Organization Controls (SOC) 2 is an audit reporting standard issued by the American Institute of Certified Public Accountants (AICPA). The report provides the auditor’s opinion about the design and effectiveness of the organizations controls that address the five Trust Services Principles (TSP):
- Security
- Confidentiality
- Integrity
- Availability
- Privacy
Organizations are not required to address all five TSPs. Only the Security principle is mandatory; the rest are up to the organization. Additionally, there are two types of SOC 2 reports: Type I and Type II. A SOC 2 Type I report only tests the organization’s controls’ designs, while Type II also tests the controls’ effectiveness. A Type I report is usually just a stepping stone for the organization in preparation for a Type II audit.
A SOC 2 report covers a specific time period (test period). The test period is usually twelve months but can be as little as three months. SOC 2 audits are conducted by Certified Public Accountants (CPA), members of AICPA.