Nov 9, 2018

Service Organization Controls (SOC) reports are issued by an American Institute of Certified Public Accountants (AICPA) assessor. SOC reports are conducted by independent, third party auditors and managed as a standard by the AICPA. There are three levels of SOC reports: SOC 1 covers internal controls over financial reporting; SOC2 covers controls over security, availability, processing integrity, confidentiality, and privacy; and SOC 3 is a general-use report that provides only the auditor’s report on whether the system being tested achieved the trust services criteria (security, availability, processing integrity, confidentiality, and privacy). A SOC 2 Type II report is a control specific protocol that is particularly relevant to outsourcing risk management.

Type II reports contain the auditor’s opinion on the effectiveness of controls. Adapted from AICPA. 2020.

In TPRM, SOC2 reports are commonly used as a tool to verify that an organization has achieved the levels of controls within that type of SOC’s scope.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics