With data security and privacy paramount concerns for businesses and consumers, organizations are increasingly seeking ways to demonstrate their commitment to safeguarding sensitive information. One powerful tool for demonstrating assurance is the SOC 3 (System and Organization Controls 3) report.

A SOC 3 report is an external audit report based on the AICPA’s Trust Service Criteria. It encompasses categories related to:

Major service organizations spanning industries like cloud computing, SaaS, internet services, and telecommunications are making their SOC 3 reports available publicly. For example, AWS, Google Cloud, and Azure publish their reports to showcase how they prioritize security and privacy standards.

While similar to SOC 2 reports, SOC 3 reports have a distinctive feature–they are designed for public distribution. This means the information within these reports is designed to be understood easily by a broad audience, making them a valuable asset for businesses seeking to build trust and transparency.

In layman’s terms, a SOC 3 report is the public-facing version of a SOC 2 Type report, and in fact, it is actually a summarized version of the SOC 2 Type 2. As such, it can only be issued in connection with the SOC 2 Type II report.

SOC 3 reports serve as a seal of assurance that can be displayed prominently on a company’s website or within its marketing materials. This seal communicates to customers, prospects, partners, and the general public that the organization has undergone an independent audit and adheres to robust controls in key areas.

Unlike SOC 2 reports, which are often shared with specific parties under non-disclosure agreements, SOC 3 reports are intended for public consumption. A completed SOC 2 audit and a SOC 3 report demonstrate a proactive approach to security and privacy, potentially attracting clients who prioritize working with organizations committed to safeguarding their data.

A SOC 3 report is not just a compliance checkbox; it’s a testament to an organization’s dedication to protecting its customers’ data. This enhanced level of transparency fosters trust and confidence, crucial elements in building lasting customer relationships.

By undergoing a SOC 2 audit and getting a SOC 3 report, a company can identify and address potential vulnerabilities in its systems, controls, and processes. This proactive approach to risk management can save an organization from future security incidents and associated reputational damage.

As data protection regulations evolve globally, a completed SOC 2 audit and SOC 3 report can be advantageous for organizations operating in international markets. It showcases a commitment to aligning with industry best practices and compliance standards.

Obtaining a SOC 2 audit and SOC 3 report is not just about meeting compliance requirements – it’s a strategic move toward building a reputation for excellence in security and privacy. SOC 3 goes beyond the checkboxes, instilling confidence in customers, prospects, and partners.

In a digital age where trust is currency, this step can be your organization’s key to unlocking new opportunities and fortifying its standing in the marketplace. To learn more about the potential benefits of a SOC 2 audit and a SOC 3 report, contact us.

One of the most effective ways for service organizations—a broad category that includes cloud service providers — to demonstrate they have implemented security controls for safeguarding sensitive data to meet their service commitments is by obtaining a System and Organization Controls (SOC) 2 report.

Developed by the American Institute of CPAs (AICPA), a SOC 2 report offers a framework that allows a third-party accounting firm to examine a service organization’s security practices and controls, and to prepare an objective attestation whether the provider’s security measures are designed and operating effectively.

The report is based on five Trust Services Criteria (TSC) highlighting various aspects of a service organization’s information protection posture. Typically, a service organization will have to meet the Security (also known as the “Common Criteria”) criterion to undergo a SOC 2 examination. However, organizations can opt into four additional Trust Services Criteria based on their service commitments and customer requirements.

The other criteria are Availability, Confidentiality, Privacy, and Processing Integrity. For cloud service organizations, a combination of Security, Availability, and Confidentiality represents the most common selection.

Deciding whether to include categories beyond the required security criteria depends on factors including specific customers’ or prospects’ concerns, the types of data a service provider handles on behalf of its customers, or the service organization choosing to present as comprehensive of a report as possible.

A SOC 2 report is considered “restricted use,” and is intended to be shared only with customers, prospects, business partners, and regulators. Because the report includes detailed system information and a controls matrix specific to the service organization, which may include proprietary information, it should not be shared publicly.

A SOC 2 is not the only type of report a service organization may be interested in obtaining. A SOC 1 report is a formal audit of a company-specific service provider’s controls that could affect their customers’ financial reporting. The other type of report is known as a SOC 3, which is a summarized version of a SOC 2 type 2 report. This report, intended to be used as a marketing tool to an unrestricted audience, provides a generalized opinion on controls related to one or more of the Trust Service Criteria.

Service organizations can elect to undergo two different SOC 2 audits. A Type 1 report evaluates whether controls are designed properly at a specific point in time. A SOC 2 Type 2 evaluates whether those controls are designed and functioning as intended over a specified period of time, typically six or 12 months. When customers are asking for a SOC 2 report, they are generally referring to a SOC 2 Type 2. The Type 1 report is usually performed as part of initial readiness at the beginning of your SOC 2 journey.

To prepare for a SOC 2 audit, a service organization will develop comprehensive documentation of systems, processes, and controls. A SOC 2 readiness tool, such as Drata or Vanta, can help service organizations implement necessary controls based on the applicable Trust Services Criteria for their organization.

During the review, an independent audit firm will assess and validate the service organization’s controls before issuing a report summarizing its findings. The best outcome for the service organization is when the audit firm issues an “unqualified opinion” that the organization under examination can achieve its service commitments and its controls are designed and operating effectively.

A SOC 2 audit is typically performed annually, so the service organization will likely use the report’s findings to fine-tune and maintain its controls before its next examination.

Having a SOC 2 attestation to share with prospects and customers can provide many benefits for service organizations. For example, a SOC 2 report is often considered a qualifying factor in the due diligence process as companies (especially large enterprises) evaluate potential vendors.

Similarly, undergoing a SOC 2 audit may be a contractual requirement between a service organization and its clients. Some customers may accept a SOC 2 report in place of a security questionnaire.

In short, a SOC 2 report provides assurance that a service organization or other service organization has implemented strong security controls and procedures to conform with industry security best practices for protecting systems, data, and managing risk.

To learn more about SOC 2 reports and how they can benefit your organization, contact us.

Service organizations such as cloud providers and Software as a Service (SaaS) companies look to demonstrate they have effective internal controls and comply with security and privacy standards. To do so, they often pursue a Service Organization Control (SOC) audit and, most often, a SOC 2 report.

SOC 2 reports are a standardized way to validate security, privacy, and processing integrity. The next question considered is whether a SOC 1 audit may be beneficial (or required).  

This decision depends on factors including the types of controls that will be examined and the end users of the report. Both SOC standards are established and maintained by the American Institute of Certified Public Accountants (AICPA), and a SOC examination is usually conducted by auditors working for an independent accounting firm. 

SOC 1 and SOC 2 reports look very similar and there is some overlap between the two, but there are fundamental differences between the reports and their audiences. 

Both reports are valuable in assuring customers, prospective customers, regulators, and other stakeholders that the service organization can protect data and manage risk effectively. The SOC audit process also provides insight to help the service organization evaluate and enhance its security and data governance processes.

Providing a SOC 2 report is becoming a common contractual requirement, especially within the vendor qualification requirements of large enterprise customers. In some cases, the SOC 1 report will be an additional requirement that may show up for new customer opportunities, or the request for the SOC 1 will come from long term customers. These organizations want to ensure their data will be processed consistently and accurately, and increasingly rely on SOC 1 reports for that assurance. 

The testing procedures for SOC 1 will focus on financial controls and transaction processing, while SOC 2 will examine general IT controls (ITGC) testing and validation. As most SOC 1 systems are built on information technology systems, many controls from a SOC 2 report can be mapped to a SOC 1 report.

A SOC 1 examination centers on internal controls over financial reporting (ICFR) a service provider has in place to ensure transaction or data processing is done consistently and reliably. A SOC 1 report focuses on business processes specific to the service organization and there is more variability than in a SOC 2 report, because the control environment will be specific to each service organization.

A SOC 2 report examines controls that address the Trust Services Criteria (primarily security, but there are five criteria to choose from) and is relevant for service organizations entrusted with custody of their customers’ data. The Trust Services Criteria provide a pre-defined framework that can be applied to a wide range of service providers. 

The relevant trust services criteria are:

Our article “Choosing the Right Trust Services Criteria for Your SOC 2 Audit” provides more details on identifying relevant SOC 2 criteria.

Selecting the most appropriate report depends on the intended audience and the factors leading you to consider a SOC audit. Does your organization touch customer’s financial data and reporting? Are customers asking about information security and data governance?

A SOC 1 report, with its focus on ICFR and the related IT controls, is best suited for evaluating the security of financial data and processing. The primary audience is the organization’s management, customers, and the organization’s external financial statement auditors.

A SOC 2 report, aligned with the trust services criteria listed above, has the same audience and adds potential customers and business partners evaluating the service organization as part of their vendor selection or due diligence process.

For more information and help determining whether a SOC 1 vs. SOC 2 audit report is best suited for your needs, get in touch with our team.

For companies serving customers internationally, obtaining an ISO 27001 certification provides a tangible demonstration of their ability to protect customer data.

The certification can also unlock business opportunities as companies evaluate the information security capabilities of their prospective vendors and partners.

The standard, known formally as ISO/IEC 27001, helps organizations manage cyber-risks and controls. It provides a recognized framework for ensuring the confidentiality, integrity, and availability of their data through the effective design and operation of their information security management systems (ISMS).

Obtaining ISO 27001 certification requires an audit and a determination issued by an accredited firm that the organization under review is compliant with the standard’s requirements. 

ISO 27001 doesn’t offer prescriptive guidance about the cybersecurity steps an organization must take. Instead, it outlines requirements for the organization’s policies and procedures to meet the standard. Similarly, ISO 27001 certification provides third-party validation the organization is following its stated security policies.

At its heart, ISO 27001 is focused on three aspects of information protection:

Being certified can help the organization achieve and demonstrate compliance with various cybersecurity and privacy laws, regulations, and customer requirements. In many instances, ISO 27001 certification matches the requirements of other security mandates.

ISO 27001 provides a cost-effective cybersecurity framework to help organizations understand their security risks and the steps they can take to mitigate them. This knowledge can be especially beneficial for a growing company scaling up its operations.

Investing in ISO 27001 certification can help an organization reduce its total cybersecurity costs by identifying security weaknesses that may result in costly breaches and disruptions. For instance, a single security incident can produce direct costs, such as repairing the breach and notifying customers. A breach can also cause indirect costs resulting from business disruptions, damage to the organization’s reputation, or lost opportunities.

Having a certification for ISO 27001 can provide competitive advantages by allowing a company to meet customer expectations that sensitive data will be used and protected appropriately. This can enable service providers to compete effectively, potentially with larger customers that have strict security requirements. Being certified sets an organization apart from its uncertified competitors and helps customers make more informed decisions about whom they can trust.

The ISO 27001 standard offers a framework for protecting the confidentiality, integrity, and availability of an organization’s information that helps it identify and mitigate risks through the appropriate controls.

The 2022 revision of the standard lists 93 controls aligned into four categories:

As an internationally recognized standard, obtaining an ISO 27001 certification is valuable for organizations with global clients or operations. U.S.-based entities will often start with System and Organization Controls (SOC) 2 attestations as those are commonly sought in the U.S. market.

Whether ISO 27001 or SOC is the most appropriate standard for an organization’s operations and customer base, there is considerable overlap between the two frameworks. Most organizations can benefit from pursuing an ISO 27001 certification and a SOC 2 attestation report at the same time.

Bringing in an audit firm qualified to assess an organization’s compliance with both standards can help it save time and money. A review of its policies, procedures, and controls aligned with one framework gives it a head start on demonstrating compliance with the other.

Since obtaining both doesn’t require twice the time or effort, many organizations undergoing SOC 2 or ISO 27001 may include the other as a simultaneous or overlapping project.

ISO 27001 certification can be a valuable resource for organizations that want to showcase their commitment to managing information security. A company’s ability to implement ISO 27001 can play a huge role in protecting sensitive data and mitigating cyber risks.

Additionally, obtaining certification can improve brand reputation, increase customer trust, and create new business opportunities. Although getting ISO 27001 certification can be a challenging process, the benefits it offers are worth the effort for companies that give high importance to data security.

Interested in learning more about how an ISO 27001 certification can help your business? Contact us.

As demand grows for SOC 2 reports and the market for GRC compliance tools expands, the AICPA is reminding companies and providers about the importance of auditor independence in delivering audit and nonattest services, as well as the risks of an audit provider reviewing its own work.

The new guidance comes after market changes in which some SOC 2 readiness and audit firms are developing offerings and tools that blur sector lines by offering services traditionally done by the other type of provider. In late 2022, the most recent changes to the AICPA’s SOC 2 Guide placed a heavy emphasis on the concepts of independence and “nonattest” services in response to how much the SOC 2 industry has changed over the last several years.

During the last several years, SOC 2 has exploded in popularity. Combining the trends in cloud computing and outsourcing, and the significant emphasis on vendor risk management, has led to a perfect confluence driving exponential growth in SOC 2 demand.

This surge has spurred a whole new SOC 2 readiness industry. Numerous GRC platforms and SOC 2 readiness tools are rushing to market, some backed by major venture and private equity investors seeking to take advantage of this mini-goldrush.

Because they have tremendous amounts to spend on marketing, many of the SOC 2 readiness platforms and GRC providers act as a funnel for the numerous companies that need SOC 2 reports and are referred to CPA firms to conduct audits and issue the reports.

A pillar of the AICPA standards for audit and attestation engagements is that a CPA should be “independent” of the entity they are auditing or providing attestation services to. For example, the CPA should not have financial or other interests in their clients.

The AICPA also focuses on the important concept that CPAs should not audit their own work. In the context of SOC 2, this would mean an auditor should not implement controls, take management responsibility, or insert themselves as a decision-maker in the design and operations of a system. This makes sense as objectivity and independence are central to the ultimate value of the SOC 2 opinion.

As noted above, the SOC 2 readiness industry, which would meet the definition of a nonattest service, has been a huge money-maker. But if you look at the total opportunity, readiness is only one part of what is charged to the customer, with the audit firm getting the other portion for executing the audit and providing the audit opinion.

Some readiness platforms have seen this and have spun up their own audit firms. At the same time, some CPA firms have seen explosive growth on the readiness side and, looking to take advantage of demand, are creating readiness tools and GRC implementations to drive revenue.

Other nonattest services that need to be considered include penetration testing, vulnerability management, and incident response. All of those services are central to the control environment, and thus represent a threat to independence if such services are delivered by the same entity responsible for auditing the client’s environment.

The recently updated SOC 2 Guide is the primary guidance provided by the AICPA defining SOC 2, and built up the AICPA audit and attest standards including professional conduct for CPAs. In reference to SOC 2, the AICPA has established Statements on Standards for Attestation Engagements (SSAE) that specify how the CPA should engage with their clients, perform their work, and handle client interactions effectively.

At the end of the day, the new AICPA guidance is a re-emphasis on independence and specifically focuses on the threats to independence created by nonattest services. This is especially true for auditors reviewing their own work, which is a real risk if the auditor is also providing readiness services.

The AICPA is not an enforcement agency; however, they have made it clear that they see the proliferation of services that are central to the system being threats to auditor independence if they are provided by the CPA firm. We fully grasp this concept, and believe it is central to the objective insights and value that we provide. Contact us for your SOC 2 readiness and audit needs while ensuring auditor independence.

A SOC 2 audit is like a report card that shows clients you’ve got your act together when it comes to handling their sensitive information. It’s proof that your systems and processes have been thoroughly checked and approved by objective, third-party experts.

What’s unique about a SOC 2 report is that you get to define the scope. Every service organization gets evaluated on security, but choosing the other security and privacy considerations that get audited—known as the Trust Services Criteria—is up to you.

The Trust Services Criteria are a set of five IT security principles developed by the American Institute of Certified Public Accountants (AICPA) to help organizations safeguard their sensitive information and assets.

In this article, we’ll outline each Trust Services Criteria category and provide guidance on whether you should consider including it in your SOC 2 scope.

The security category focuses on protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes protecting systems both physically (on location) and from remote threats like hacking, viruses, and other cyber attacks.

Important security-related controls and processes include the use of passwords, authentication systems, segregation of duties, encryption, and firewalls.

Security is required for all SOC 2 reports and, therefore, is sometimes referred to as the “common criteria.”

Availability means ensuring information and systems are accessible to authorized users when needed. This includes minimizing downtime and maintaining system performance. Relevant controls may include redundant servers, backup and recovery systems, load balancing, and disaster recovery plans.

If you answer “yes” to any of these questions, consider including availability in your audit scope:

When looking at processing integrity, auditors want to know your systems are handling information accurately and reliably, without experiencing errors, omissions, incorrect processing, or unauthorized or accidental manipulation.

If you answer “yes” to any of these questions, consider including processing integrity in your audit scope:

Here, auditors are looking at how you protect information designated as confidential. This may include trade secrets, intellectual property, or client financials. Confidentiality controls may include data classification rules that govern who can access certain information.

Examiners may also ask about audit trail capabilities, meaning your ability to monitor who accessed sensitive information and what actions they took (e.g., copying, deleting, or editing data).

If you answer “yes” to any of these questions, consider including confidentiality in your audit scope:

Privacy specifically focuses on controls to protect personally identifiable information (PII). Auditors will be looking to see if you operate in accordance with client agreements, as well as any applicable laws or regulations.

Privacy controls often include issues of notification, choice, and consent. This means you’ve let people know how you collect, use, and retain their information so they can make an informed decision about whether to share it with you.

Privacy criteria may also deal with issues of access, such as giving customers a way to view the information you’ve collected so they can ask you to correct it. In addition, auditors will be looking at your disclosure and notification policies, such as defining how you’ll detect data breaches and notify customers if a breach occurs.

If you answer “yes” to any of these questions, consider including privacy in your audit scope:

Can’t decide between privacy and confidentiality (or both)? See our related article Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination.

Evaluating your customers’ key concerns will help determine which Trust Services Criteria to include in your SOC 2 audit. A more comprehensive audit can demonstrate a stronger commitment to security and satisfy a greater number of potential customers.

Our goal is to make your SOC 2 audit as straightforward as possible, with a practical approach that addresses your concerns in a cost-effective manner. For more information and help defining your SOC 2 audit scope, get in touch with our team.

A SOC 2 report can be a powerful tool in demonstrating your company’s commitment to securing your customers’ data. And while the benefits are compelling, several common mistakes or misunderstandings about SOC 2 audits can make the process more complicated, lengthy, and expensive.

A SOC 2 compliance report summarizes the results of an external auditor’s evaluation of your company’s policies, processes, and controls for protecting customer data in five key areas:

A SOC 2 Type 1 report tests control designs at a specific point in time, while a more comprehensive Type 2 report tests controls repeatedly over a period of time to confirm operating effectiveness.

Customers depend on the SOC 2 audit results as they conduct due diligence on prospective and current cloud service vendors. They want assurance they can safely integrate their internal and customer data. SOC 2 compliance is an important consideration or requirement for many companies as they choose technology partners.

The following five mistakes can complicate the SOC 2 audit process or hinder your ability to take advantage of the assurance a SOC compliance report offers your customers.

As you’re planning for a SOC 2 audit, naming a project manager is essential in streamlining the flow of information within your organization and with your external auditor. A SOC 2 audit’s broad scope means you will collect information and documentation from business functions, including HR, operations, systems admins, database professionals, and others.

Each control will require someone with subject matter expertise to provide evidence of that control’s effectiveness for the auditors to review. If you don’t designate someone to coordinate that information flow, the auditors must track down documentation function by function. This complex process will extend the life of the project considerably.

Instead, choosing a single point of contact can make this process faster and more efficient. If you do not have someone with project management experience on staff, consider bringing in an external project manager on a consulting basis.

Before you engage an auditor, it’s crucial to conduct a readiness assessment to identify the controls that will be examined during the audit, any missing controls, and any controls that lack documentation.

Failing to perform these basic steps before the audit begins can easily lead to unexpected control gaps and failures during the audit that, in turn, can hamper your ability to obtain a report documenting SOC 2 compliance. As with project management, a consultant with readiness assessment expertise can help streamline the process and enhance your capabilities.

It’s important to test your controls during the first reporting period covered by your SOC 2 assessment. For instance, if you’re performing an audit based on six months, you should test your controls after three months to ensure they have been operating effectively for that timeframe.

This interim testing allows you to identify and mitigate any control exceptions, so you’d have the rest of the period for that control to operate effectively. Interim testing is optional, but it’s far more effective than waiting for the end of the period and discovering deficient controls that force you to extend the review period as you mitigate issues.

Although most clients who ask about your information-protection policies and controls will be satisfied with a SOC 2 report, companies with security questionnaires will likely continue to issue them. Because each company’s operating environment (and questionnaire) are different, merely handing over a SOC 2 report is unlikely to satisfy their request for information. You may be able to pull information from the report in answering the questionnaire, but don’t expect questionnaires to become a memory.

When you receive a SOC 2 compliance report, that doesn’t mean the process is over. Effective risk management is an ongoing process, which means that, for subsequent periods, you’ll have to stay on top of the controls and operations covered in the initial report.

This will require ongoing risk assessments, updating policies and procedures as changes occur in your environment, vulnerability scanning and penetration testing, updating business continuity and disaster recovery plans, and other assessments.

By avoiding these common mistakes, you’ll receive a SOC 2 report demonstrating your commitment to securing and protecting customer data and a report you’ll be pleased to hand to any prospect or customer who asks for one.

Need help preparing for your SOC 2 audit? Contact us.

TL;DR: Open the SOC report, click Ctrl+F, and search for “Opinion.” If the audit opinion states, “In our opinion, in all material respects …” the report gets a gold star. See? That was even less than five minutes!

After performing SOC audits day-in and day-out and issuing hundreds of SOC reports to clients, it recently occurred to me that I may take for granted that everyone knows how to determine if a SOC report was a “pass” or a “fail.”

I’m not saying you shouldn’t read the entire SOC report, because you should; there’s a lot of essential and detailed information in those reports, but let’s be honest—reading that 100-page report could take some serious time. So, as an alternative to reading every page, there is an easy and quick way to summarize the results of a SOC 1 or SOC 2 report, and there are a few variations of “pass” and “fail.” Let’s clear those up first, then I’ll tell you exactly where to find them in the report.

The best outcome for the SOC report is when the audit firm states an “unqualified opinion.” This simply means the auditors have determined that the organization under examination can achieve its service commitments and system requirements as described in the report. This is also known as a “clean opinion,” which everyone wants to see. The unqualified opinion will use the following language: “In our opinion, in all material respects …”

The second level of pass is in the form of a “qualified opinion.” This isn’t a bad thing, but it’s not a clean opinion either. A qualified opinion means the audit firm has determined that some controls at the organization aren’t designed well or aren’t operating as they should be. These can be minor and correctable (and explainable) issues that organization management acknowledges and has a reasonable plan to correct.

No one’s perfect, and a slip in control can happen from time to time. If you see a qualified opinion, you’ll want to dig deeper into the report to evaluate what “exceptions” were found by the auditor and management’s remediation plan. The qualified opinion will use the following language: “In our opinion, except for the matter referred to in the preceding paragraph …”

The third type of opinion would move into the failure column. This is when the audit firm issues an “adverse opinion” in the report. This typically means the system description was not presented accordingly, the controls were not appropriately designed, or they did not operate effectively—all meaning that the organization would have trouble meeting its service commitments and system requirements.

This opinion should give you pause if you’re relying on that organization to provide any service to your business. The adverse opinion will use the following language: “In our opinion, because of the matter referred to in the preceding paragraph …”

The fourth and final opinion, is the dreaded “disclaimer of opinion.” This is the unicorn of SOC reports—it’s so rare that I’ve never seen one (and our firm has never issued one). But you can probably guess why these are never seen—what organization would ever distribute this version of their SOC report? A “disclaimer of opinion” means the audit firm has concluded that they could not validate if any of the controls were operating during the reporting period and were unable to complete the audit.

Where can we find the auditor’s opinion in the report? There are typically four sections of the report and you will want to locate the section titled “Independent Service Auditor’s Report.” This is usually either Section I or Section II of the report.

Once you find the auditor’s report section, scroll down to the “Opinion” section. Here’s where you’ll find out if the report is a pass or fail. Again, if the opinion is unqualified, you can put the report down with confidence and enjoy that second cup of coffee. If it’s any of the other opinions we discussed above, you’ll probably want to dig deeper into the details to learn what the findings mean.

I’m a visual person, so keep this in mind when reviewing the auditor opinions:

Unqualified Opinion =

Qualified Opinion =

Adverse Opinion =

Disclaimer Opinion =

For more information or help preparing for your SOC audit, please get in touch with our team.

“Why can’t I share my SOC 2 report?” It’s a question we’re asked a lot, and given the time and expense of acquiring a SOC 2 report, it’s understandable. You can share it, but your report is restricted and there are good reasons behind this restriction.

The SOC 2 report is, by definition, a restricted use report. As such, it’s not suitable for public distribution. If you think about it, a SOC 2 report includes a detailed system description and a matrix of controls specific to your company that often includes proprietary information. From a process and security stance, it makes sense not to publish this information for your competitors or people with nefarious intentions to see. This is why if you do a Google search for “example SOC 2 report”, you can’t easily find one.

Suppose you use AWS or Microsoft Azure as your subservice organization and need a copy of their SOC 2 report. In that case, there’s a specific process to verify whether you should be given access to this information. Further, the AICPA standards look to the “intended reader” of the report and whether that reader has sufficient knowledge to understand the report’s content.

Case in point: The following excerpt is standard audit opinion language that appears in all SOC 2 reports detailing “Restricted Use.” You’ll notice that it reinforces the AICPA’s “intended reader” standards:

This report, including the description of tests of controls and results thereof in the section of our report titled “Description of Test of Controls and Results Thereof” is intended solely for the information and use of [Service Organization Name]; user entities of [Service Organization Name]’s [insert title of the description] during some or all of the period [Month XX, 20XX] to [Month XX, 20XX], business partners of [Service Organization Name]’s subject to risks arising from interactions with [Service Organization Name]’s processing system; practitioners providing services to such user entities and business partners; prospective user entities and business partners; and regulators who have sufficient knowledge and understanding of the following:

This report is not intended to be and should not be used by anyone other than these specified parties.

For more general use, a SOC 3 report is an optional add-on for a SOC 2 report that omits detailed control listings and sensitive information and employs modified system descriptions. In effect, it is a summarized version of the SOC 2 Type 2 report. As such, it is defined as a “general use report” and can be distributed freely.

In contrast to the challenges of obtaining Amazon or Microsoft’s SOC 2 reports, both share their SOC 3 reports publicly.

For more information on why SOC 2 reports are restricted use and examples of other, more general alternatives, check out the AICPA’s guidance on the available SOC reports. If you’re considering a SOC 2 report, don’t hesitate to reach out to our team or visit our SOC 2 services page.

As service organizations prepare for SOC 2 examinations, understanding the roles of the Privacy and Confidentiality Trust Services Criteria (TSC) can help them manage risk more effectively and optimize the scope of SOC 2 audits.

Privacy and Confidentiality are two of the five TSCs that can be considered in a SOC 2 review. The Security criteria is mandatory, while Confidentiality and Privacy, along with Availability and Processing Integrity, are optional areas for review.

The Confidentiality and Privacy criteria, although similar in nature, have important differences that a service organization should consider as it decides which criteria should be included in an upcoming SOC 2 review.

It’s important for companies scoping a SOC 2 audit to understand the differences between the Confidentiality and Privacy criteria:

Confidentiality refers to a service organization’s ability to secure proprietary information from unauthorized access or disclosure. The types of data that need to be secured will vary among providers, but typically include:

Privacy refers to the service organization’s ability to collect, use, retain, dispose of, and disclose personally identifiable information (PII) in accordance with client agreements as well as any applicable laws or regulations. This will typically include:

Deciding whether to include one, the other, or both criteria depends on several factors, including the types of data the service organization handles on behalf of its clients and the sensitivity of that data.

For example, the Privacy TSC is important for providers that interact directly with individuals or process PII on behalf of their clients. In these instances, the service organization’s client (and their customers) will share data with the system and thus may also want to understand the steps the service organization follows to protect that sensitive data within the system.

The applicability of the Confidentiality TSC will likely vary among service organizations and their clients, but it often comes into scope when the provider is processing or using information it is contractually required to protect.

For instance, a service organization that provides purchasing software for its clients will need to secure the customers’ purchase history from unauthorized access, but with perhaps less technical rigor than it would apply to someone’s health insurance claim or personally identifiable data.

After classifying data and selecting the appropriate criteria, service organizations will need to design and implement appropriate controls to ensure compliance with the Privacy and Confidentiality TSCs.

Effective Privacy controls often include policies and procedures for:

Effective Confidentiality controls may vary, but often address:

Choosing the right TSC, or a combination of criteria, is important in mitigating risk while also developing an effective and cost-effective scope for a cloud service provider’s SOC 2 audit.

For more information about Privacy vs. Confidentiality or if you need help preparing for your SOC audit, contact our team.