What does a SOC Report Cover?
A SOC 2 report focuses on the needs of a broad range of users who need information and assurance about controls at a service organization. As outlined by AICPA’s Trusted Services Criteria (TSC), SOC 2 reports are based on 5 criteria:
Type I examinations cover the design of a service organization’s controls, but not the operating effectiveness.
Type I reports are issued to organizations that have controls in place but have not yet audited them.
A readiness assessment can be performed even before the Type I SOC Report for your service organization to understand their existing controls and recommendations that should be implemented prior to the full Type I SOC assessment.
A Type II Audit Report covers a period, typically 12 months (e.g., January 1, 2019 – December 31, 2019).
- Type II audit covers the design and operating effectiveness of the internal controls over a defined period.
- A Type II SOC engagement provides reasonable assurance that the controls operated effectively to meet the service organization’s control objectives over the service commitments and system requirements during the period under review.
- AICPA guidance recommends that a reporting period cover a minimum of six months. The guidance also indicates that a Type II report which covers a period of fewer than six months is unlikely to be useful to user entities and their auditors.
Our team of IT audit professionals has broad experience in completing SOC attestation engagements for service organizations worldwide. If you need further information or assistance on SOC engagements, please contact us: firstname.lastname@example.org