SOC 2 is one of three SOC groups of report SOC 1, SOC 2 and SOC 3. The SOC 1 report is prepared in accordance with Statements on Standards for Attestation Engagements (SSAE 16) for reporting on controls relevant to internal control over financial reporting (ICFR), an attestation engagement is commonly known as a Service Organization Controls 1 report. The SOC 2 and SOC 3 reports are prepared in accordance with SSAE’s AT Section 101 and used to report on controls relevant to security,
availability, processing integrity, confidentiality, or privacy.
The SAS 70 report was the one superseded by three Service Organizations Control (SOC) reports effective 15 June 2011.
• May be better suited for outsourced technology-focused services and assessment of overall technology controls.
• Independent examination of controls.
• Concept of Type 1 (design of controls only) and Type 2 (design and operating effectiveness of controls).
• Reporting on nonfinancial controls.
• Adherence to the defined principles and related criteria, making reports comparable from different service organizations; omissions stated in the auditor’s opinion.
• Used to emphasize system security, availability, processing integrity, confidentiality and privacy.
• Includes details of the processing and controls at a service organization, the tests performed by the service auditor, and the results of the tests.
• May address privacy and availability, generally excluded from a SOC 1 report (especially privacy).
• Distribution of report not as restricted as a SOC 1 report; includes individuals with the ability to
understand the content of the report.