SOC 2
An AICPA attestation report that evaluates a service organization's controls against one or more of the five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Comes in Type I (point-in-time) and Type II (period coverage).
SOC 2 (Service Organization Control 2) is an attestation report issued by an independent CPA firm. It evaluates a service organization's internal controls against the Trust Services Criteria (TSC) defined by the AICPA.
The five TSC categories:
- Security (the only mandatory category) — protection of systems and data against unauthorized access.
- Availability — system uptime per agreed service commitments.
- Processing integrity — system processing is complete, accurate, timely, and authorized.
- Confidentiality — designated confidential information is protected.
- Privacy — personal information is handled per the entity's privacy notice and AICPA criteria.
Two report types:
- Type I — a point-in-time snapshot of control design.
- Type II — controls evaluated over a period (usually 6-12 months), including operating effectiveness testing.
Most SaaS customers ask for SOC 2 Type II reports as a precondition for enterprise sales. The first audit typically takes 6-12 months of preparation and a 6-month observation window.
A SOC 2 report is not a certification — it is an opinion from a CPA firm. Anyone can claim compliance; only a SOC 2 report from a CPA firm carries weight.
Sources
- [5]American Institute of Certified Public Accountants. AICPA SOC 2 Trust Services Criteria. AICPA, 2017. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2