Generate sales and retain customers with a technical assurance report.
You can get more customers and keep current ones by proving you are secure and that customer data is confidential, available and will be processed accurately. We can help ease your customers’ worry about their data security by ensuring them you are secure with a Service Organization Controls (SOC) Report.
Sean P. Linton, CPA, CITP
Service Organization Control 2 Report (SOC 2)
A SOC 2 reporting engagement provides an independent auditor’s attestation related to the controls for a service organization that reflects any and/or all of the company’s security, availability, processing integrity, confidentiality and/or privacy processes. Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. Therefore, a SOC 2 report is often required.
The SOC 2 report results from attestation engagements that use the predefined criteria in the Trust Services Principles, Criteria and Illustrations (from the CICA and the AICPA), and the requirements and guidance in the AICPA’s AT Section 101 “Attest Engagements.”
Similar to a SOC 1 report, the SOC 2 report is issued as either a Type 1 or Type 2 report and provides a description of the service organization’s system. The Type 2 report also includes a description of the tests performed by the service auditor and the results.
SOC 2 reports address any and/or all of the following principles:
The system is available for operation and use as committed or agreed.
The system is available for operation and use as committed or agreed.
System processing is complete, accurate, timely and authorized
Confidential information is protected as committed or agreed.
Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
Why does my company need a SOC 2 Report?
- Required for organizations that offer outsourcing services for critical business or IT functions
- Required for organizations that offer outsourcing services that handle sensitive data
- Used as an effective compliance tool for examining and testing a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls
Scope of SOC 2 Reports
- Data security
Data confidentiality
Data availability
Data privacy
Processing integrity
HIPAA
ISO 27001
NIST
HITRUST
Common Requirements of SOC 2 Compliance
- Documented Information Security Policies
- Security Tools and Monitoring
- Employee Non-Disclosure Agreements
- Encryption
- Access based on least privilege
- HR Practices
- Well controlled & documented systems development & change management processes
- Vendor Assessments
- Patching, vulnerability scanning, penetration testing
- Security Awareness Training at least Annually
- Backups and Data Recovery Procedures
Latest Technology Consulting Insights
Learn more about our Technology Consulting team’s expertise and ways in which we are helping organizations evaluate regulatory compliance. Our team has experience serving companies that range from startups to Fortune 100 companies in a variety of industries.
Latest Corporate Security Concerns
In the wake of yet another high-profile attack on corporate security infrastructure, many companies are rightly concerned with their security posture and their own susceptibility
MYCSF is the Tool Utilized to Manage the HITRUST Certification Process
What subscription option should I buy? Assess/Report option is limited to 90 days and deleted after the final report is issued, you will have to
Is HITRUST the Best Option for my Company?
Sitting down with a healthcare compliance expert at Lurie will help determine the best compliance strategy for meeting HITRUST compliance. While HITRUST is the “Gold
Meet your technology consulting team
Our Technology Consulting team provides expertise, process and technology required to evaluate regulatory compliance. Our team has experience serving companies that range from startups to Fortune 100 companies in a variety of industries.
Kate Seigrist
Partner, Technology Consulting
Sean Linton
Partner, Technology Consulting
Renata Torola
Manager, Technology Consulting
Bill Bodner
Manager, Technology Consulting
