Service Organization Control reports (SOC) are a product of the American Institute of Certified Public Accountants (AICPA). SOC reports are conducted by CPAs to allow the organization that has been audited to share information with their customers and other interested 3rd parties. There are three kinds of SOC reports – SOC1, SOC2 and SOC3. When it comes to an organization’s ability to demonstrate compliance with cybersecurity, a SOC2 report provides such assurance.
The attestation of the organization’s compliance with cybersecurity is encapsulated in the SOC2 Report that is issued by the CPA firm.
Vestige has experience conducting SOC2 audits through our relationship with a Certified Public Accounting firm. Vestige conducts the technical assessment for which the CPA relies upon our workpapers, testing and findings when issuing the report.
Type 1 vs Type 2
There are two types of SOC2 reports – a Type 1 and a Type 2. Type 1 audits provide an attestation as to the Design (only) of the control environment and consider that as of a specific date (“point in time”). Type 2 audits provide attestation both of the design of the control environment as well as the effectiveness of the controls. In addition the effectiveness of the controls is evaluated over a period of time (generally 12 months).
Typically speaking the first time an organization goes through a SOC2 report they are often hard-pressed to be able to show effectiveness of the controls over a period of time; as such, it is common for an organization going through a SOC2 the first time will elect to a Type 1. As the organization continues to improve its cybersecurity posture it will move onto a SOC2 Type 2 report.