Information security is a reason for concern for all organizations, including those that outsource key business operation to third-party vendors. Mishandled data – especially by application and network security providers can leave enterprises vulnerable to attacks, such as data theft and malware attacks.

SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that CPA firms can issue in connection with system-level controls at a service organization. Currently, there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering.

In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.). The AICPA is working on additional SOC offerings to include in the suite.

SOC 2 is an auditing procedure that ensures your service providers securely manage the data to protect the interests of your organization and clients privacy on five principles – Security, Availability, Processing integrity, Confidentiality and Privacy.

Contact Our Expert

There are three types of  SOC reports:

  • SOC 1 – Internal Control over Financial Reporting (ICFR)
  • SOC 2 – Trust Services Criteria
  • SOC 3 – Trust Services Criteria for General Use Report

What Does the SOC 2 Type 2 Audit Examine?

SOC 2 looks at five Trust Factors of secure data processing and storage. Demonstrating proficiency across one of more of these criteria is an attestation to the privacy and security controls:


The system is protected against unauthorized access, both physical and logical


The system is available for operation and use as committed or agreed


System processing is complete, accurate, timely, and authorized


Information designated as confidential is protected as committed or agreed


Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)

SOC 2 reports can address one or more of the above Trust Factors.

What are SOC 2 Reports?

A SOC 2 report also falls under the SSAE 18 standard, though it is specifically addressed in sections AT-C 105 and AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s  Trust Services Criteria (TSC), that are relevant to its services, operations, and compliance.

There are five available criteria that include security, availability, processing integrity, confidentiality, and privacy. The security criteria, which are also referred to as the common criteria, is the only required criteria to be included in the SOC 2.

The difference between SOC 1 and SOC 2 is that in a SOC 2 controls meeting the criteria are identified and tested, versus in a SOC 1 where controls meeting the identified control objectives are tested.

When should you pursue SOC 2 Certification?

Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate.

Another reason organizations pursue SOC 1 vs SOC 2 is if your clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).

SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.

The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.

Who needs a SOC 2?


How will ESHA IT help?

We have the SOC 2 experts you need.

  • Our team has enabled organizations to meet SOC 2 requirements through their readiness & implementation services and worked on assisting them through the audit process. The clients have ranged from financial services to SaaS companies
  • Our partner CPA firm is an AICPA accredited firm and has done 275+ SOC 2 Attestations for their clients

Stages of SOC 2 Implementation

Our Value Propositions

Successfully assisted multiple clients to meet requirements of SOC2, ISO 27001, HITRUST
Leverage on and off shore team; bring in the right experts as needed
Prioritize overall security requirements
Program management of multiple activities
Ability to help successfully implement multiple standards through a common framework
Auditor Relations – Ability to bring on auditors for multiple standards
Scroll to Top


This website uses cookies to ensure the best user experience. By using this site, you agree to the use of cookies as explained in our privacy policy.