SOC 2: AT 101 Attestation
A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm, which opines on the design or operating effectiveness of a service organization's controls and whether one or more of the following five (5) defined criteria and/or principles have been achieved: security, availability, processing integrity, confidentiality and/or privacy.
360 Advanced is a boutique, registered CPA firm and an early adopter of the AICPA's Service Organization Controls (SOC) reporting framework.
The SOC 2: AT101 (SOC 2) report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization's ability to maintain a controlled environment; formerly a SAS 70 report was issued for such service organizations. The SOC 2 report demonstrates to a service organization's clients the ability of the organization to be independently assessed against one or more of the five (5) AICPA Trust Services Principles:
- Security: The system is protected against both physical and logical unauthorized access.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.
A SOC 2 report, in addition to one or more of the AICPA Trust Services Principles, may also include criteria defined by management, industry standards or third parties. The criteria must meet the following basic characteristics:
The Advanced team provides three main types of SOC 2 Services – SOC 2 Readiness Assessments, Type 1 examinations, and Type 2 examinations. These services can be described as follows:
- SOC 2 READINESS ASSESSMENT: The objective of a SOC 2 Readiness engagement is to conduct a preliminary assessment and provide guidance that will empower the service organization to successfully prepare for, and achieve, an unqualified opinion on a SOC 2 Type 1 or Type 2 examination (see below). This is accomplished assisting management in selecting relevant control principles, identifying control gaps related to the achievement of control principles for the services being audited, then by providing specific, actionable guidance for improving and maintaining the system of controls. The key deliverable from this engagement is a listing of controls and gaps that detail the elements required to obtain a clean opinion.
- SOC 2 TYPE 1 EXAMINATION SERVICES: The objective of a SOC 2 Type 1 examination conducted by Advanced is the expression of an opinion about whether the control principles have been effectively designed to meet the requirements defined in the control principles. The engagement is conducted in a manner that establishes the design of the system of controls as of a point in time, and to assist the service organization in improving the capability maturity of its core processes (and ultimately to be prepared to pass a SOC 2 Type 2 examination). The deliverables from the engagement include an Internal Project Monitoring document and a SOC 2 Type 1 report.
- SOC 2 TYPE 2 EXAMINATION SERVICES: The objective of a SOC 2 Type 2 examination conducted by Advanced encompasses the objectives of a SOC 2 Type 1 examination, and additionally includes an expression of an opinion about whether controls were operating effectively to meet the requirements of the control principles during a specific period of time. The engagement is conducted in a manner that promotes continuous process improvement, and adaptation to changing circumstances in regards to the industry and user organization expectations.