About SOC2 (AT101) Report
A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing Trust Services Principles, Criteria and Illustrations (SysTrust and WebTrust). This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. Organizations asked to provide an SSAE 16, but do not have an impact on their client’s financial reporting should select this reporting option.
SOC 2 reporting standard was created by the AICPA to fill the gap for organizations that were being requested to have a SAS 70 (now SSAE 16) but did not officially meet the criteria of what the SAS 70/SSAE 16 standards required. Until now there was really only one recognizable audit due to SAS 70 being the defacto standard audit for all service organizations. When SAS 70 was replaced by SSAE 16 on June 15, 2011, the AICPA strategically created three different SOC reporting options to more closely align service organizations third party compliance. Now companies can obtain the correct and recognizable third party assurance report.
Who Should Obtain a SOC 2 Report?
As a service provider, you need to guarantee your customers that your IT controls are aligned, designed and applied effectively to its control objectives. Also, any organization that wants to put their information systems up against best practices and those who may use this report to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy. Many organizations are good candidates for a SOC 2 report and we provide services not limited to the following industries:
- Hosting providers (web hosting, e-mail hosting, document storage, backup service providers, cloud computing, dedicated server, network administrators, and more)
- Production printing (direct mail marketers, print and mail providers)
- Software as a Service (SaaS)
- Application Service Providers (ASP)
- Health care service providers
- Government service providers
- And more….
Note: if you are a service provider and may potentially impact the control environment of one or more of your clients’ financial reporting activities you should consider a SOC1 ( SSAE 16 ) report.