Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

Service Organization Control (SOC) 2 reports will be conducted in accordance with AT Section 101 and will utilize the AICPA audit guide (which was released in April of 2011, along with subsequent releases) titled "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity,  Confidentiality, or Privacy".  Thus, when reporting on controls other than those likely to be relevant to user entities’ internal control regarding financial reporting (i.e., controls outside that of financial reporting), SOC 2 reports should be utilized.  And much like the SOC 1 | SSAE 18 Reports, SOC 2 reports can either be that of a Type 1 or a Type 2.  And as noted earlier, when using the audit guide "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity,  Confidentiality, or Privacy", the engagement for SOC 2 reports must be done so in accordance with AT Section 101.  

SOC 2 Audits are Here to Stay - NDNB Offers Fixed-Fees

So, what will the commonly accepted "street" phrase be for SOC 2 reports?  It's unclear at this point, but what is well-known and readily accepted by practitioners (i.e., CPA's and auditors alike) are that engagements conducted in accordance with the AICPA audit guide titled "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity,  Confidentiality, or Privacy", will play a very large and significant role in service organization reporting.  Why? Because it's true purpose and merit is that of reporting on controls outside that of financial reporting, for which there are literally scores of entities that fall under this category.  Think cloud computing, Software as a Service (SaaS), or software development companies, just to name a few.  Ironically, this is where SAS 70 strayed, as it became an auditing standard that was incorrectly used for many service organizations.  SOC 2 reports seem to want to right this wrong.

Learn more about reporting on controls outside that of financial reporting and the impact that AT Section 101 will have.

Since 2006, NDNB has been setting the standard for security & compliance regulations