SOC 2 Examinations

SOC 2 and SOC 3 examinations are used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to security, availability and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AIPCA has set forth specific trust services criteria within each trust services principle which the service organization’s controls must meet in order to satisfy the principle.

SOC 2 Type I

A SOC 2 Type I report is a report on management’s description of a service organization’s system and the suitability of design of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy. The SOC 2 Type I generally addresses the organization’s system and design effectiveness of controls as they pertain to the applicable trust services criteria. Similar to the SOC 1 Type I the report is made up of a description of the service organization’s “system” and controls, management’s assertion on the presentation and design of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy, and the auditor’s report and opinion.

SOC 2 Type II

A SOC 2 Type II report is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy. SOC 2 Type II examinations differ from the Type I examination, since the reports include an opinion on the operating effectiveness of the controls as well as the design effectiveness. The components of a Type II report are similar to a Type 1 report, but are expanded to include the procedures used by the auditor to test the stated controls and the results of such tests.