SOC 2 Examinations

SOC 2 Certifications

Most organizations are aware of the challenges created by cyber criminals. It is not difficult to find stories about the latest data breach or statistics revealing just how financially damaging these events can be to businesses and their customers. To ensure adequate levels of protection, many service organizations undergo a Systems and Organization Controls (SOC) 2 examination. Designed for businesses that manage, process, store, and transmit customer data, it provides an independent audit that highlights the effectiveness of a company’s internal controls related to AICPA trust principles. This includes security, availability, processing integrity, confidentiality, and privacy.

An organization undergoing a SOC 2 examination can anticipate one of two report types (key features outlined below). In general, a SOC Type 1 is different from Type 2 in that the former assesses the design of security processes as a snapshot, while the latter assesses how effective those controls are over a period (usually six months).

SOC 2 Type I Report

This report type provides an overview of controls and evaluates whether it achieves control objectives related to security, availability, processing integrity, confidentiality, and privacy. The audit process generally includes the following:

  • Identification of the control objectives relevant to systems and processes.
  • Development of controls to achieve the identified objectives.
  • An independent third-party auditor evaluates control design and issues a SOC 2 report.

The final report includes a description of the systems and process, an evaluation of the design controls in place, and any uncovered deficiencies or gaps. It is important to note, a SOC 2 Type I, does not provide assurance that established controls are operating effectively over a period.

SOC 2 Type II Report

This report provides an independent evaluation of the operating effectiveness of a service organization’s controls over a period of time (usually six months to a year). It evaluates whether the controls are suitably designed and operating effectively to meet stated objectives. The audit process generally includes the following:

  • Identification of the control objectives relevant to systems and processes.
  • Development of controls to achieve the identified objectives.
  • An independent third-party auditor evaluates control design and then tests whether the controls are operating effectively.

A report is issued that includes a description of the systems and process, evaluation of the operating effectiveness, and any issues or gaps. This report type provides greater assurance to customers that effective controls have been implemented over an established period. Customers can use the SOC 2 Type II report to assess the security posture of the service organization and determine whether they can trust the organization with their data and systems.

We’re Here to Help

JLK Rosenberger has significant experience providing SOC 2 reports to businesses in Los Angeles, Dallas, and across the country. Whether this is your first SOC certification, or it is part of an ongoing program, our dedicated professionals stand ready to help. To learn more, complete the form to the right and a team member will reach out shortly.

Featured Insights

See All INSIGHTS