What Is a SOC 2 Type 2 Audit?

A System and Organization Controls for Service Organizations 2 (SOC 2) Type 2 audit is a technical audit performed by an American Institute of Certified Public Accountants (AICPA) auditor or firm. A SOC 2 Type 2 audit tests whether your service organization controls meet the stringent requirements of the SOC 2 privacy and security framework.

SOC 2 compliance reports come in two flavors: Type 1 (Type i) and Type 2 (Type ii).

Knowing which type is right for your service organization is essential before commissioning to examine your records and prepare a report for you.

What is SOC 2?

SOC 2 is a data security and privacy framework recommended for all service providers that process and store customer data, such as Software-as-a-Service (SaaS) providers, third-party vendors, cloud computing hosts, and payment processors.

The AICPA established SOC 2 to help ensure the security, availability, processing, integrity, and confidentiality of customer data—five criteria that are known as SOC 2’s “trust service categories” (formerly “trust services principles, or “trust services criteria”).

Compliance with SOC 2 is voluntary. However, many enterprises will not do business with services providers that have not attained the SOC 2 attestation of compliance from an independent CPA or CPA firm.

In producing the SOC 2 attestation of compliance, auditors use as reference points the benchmarks in the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which emphasizes data security.

SOC 2 requires organizations to establish and follow strict information security policies and procedures. Having the SOC 2 report attesting to the compliance of your service organization’s controls means that you and your customers, as well as your business partners, can rest assured that the personal information you process is well protected from unauthorized access.

Type 1 vs. Type 2

Both SOC 1, which concerns financial reporting, and SOC 2, which governs information security and privacy, have two types of reports. In this document, we discuss SOC 2.

The difference between SOC 2 Type i and Soc 2 Type ii reports lies in the period of time each covers.

• SOC 2 Type 1, often an organization’s first-ever SOC 2 report, looks at internal controls governing data security and privacy at the time of the audit.
• SOC 2 Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.

The two types of reports are used differently by organizations:

• SOC 2 Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits of your service organization’s system.
• SOC 2 Type 2 asks how well your data security and privacy controls have worked since your last SOC 2 audit.

So, the audit procedure most organizations follow is:

• Type 1 for the first SOC 2 audit
• Type 2 for subsequent SOC 2 audits.