Service Organization Controls (SOC) reports are issued by an American Institute of Certified Public Accountants (AICPA) assessor. SOC reports are conducted by independent, third party auditors and managed as a standard by the AICPA. There are three levels of SOC reports: SOC 1 covers internal controls over financial reporting; SOC2 covers controls over security, availability, processing integrity, confidentiality, and privacy; and SOC 3 is a general-use report that provides only the auditor’s report on whether the system being tested achieved the trust services criteria (security, availability, processing integrity, confidentiality, and privacy). A SOC 2 Type II report is a control specific protocol that is particularly relevant to outsourcing risk management.
Type II reports contain the auditor’s opinion on the effectiveness of controls. Adapted from AICPA. 2020. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
In TPRM, SOC2 reports are commonly used as a tool to verify that an organization has achieved the levels of controls within that type of SOC’s scope.