Select regional store:

SOC 2 Audits


What is a SOC 2 audit?

A SOC 2 (Service Organization Control) audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality, and/or privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria).

Until the launch of the AICPA's TSC, SOC audits were conducted exclusively against the independent third-party assurance standards ISAE 3402 or SSAE 16. 

SOC 2 audits are an important component in regulatory oversight, vendor management programmes, internal governance and risk management.

Speak to a SOC 2 expert

If you would like more information about our SOC 2 service, or you’re unsure whether your organization needs a SOC 2 audit, please get in touch and speak to one of our experts today.

Contact us

What are the AICPA TSC?

The TSC are an industry-recognized, third-party assurance standard for auditing service organizations such as Cloud service providers, software providers and developers, web marketing companies, and financial services organisations.

They are classified into five trust services categories and are aligned with the 17 principles in the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework.

In addition to the 17 COSO principles, the TSC contain criteria that supplement COSO principle 12 (“The entity deploys control activities through policies that establish what is expected and procedures that put policies into action”).

These are divided into four categories:

  1. Logical and physical access controls
  2. System operations
  3. Change management
  4. Risk mitigation

Some of these apply across all five trust services categories.

Trust services categories

Service organizations must select which of the five trust services categories are required to mitigate the key risks to the service or system that they provide:

1. Security (also known as ‘common criteria’)

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.”

This is the only mandatory trust services category.

2. Availability

“Information and systems are available for operation and use to meet the entity's objectives.”

3. Processing integrity

“Information and systems are available for operation and use to meet the entity's objectives.”

4. Confidentiality

“Information designated as confidential is protected to meet the entity’s objectives.”

5. Privacy

“Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”

The full set of criteria can be found here >>

Frameworks aligned with the TSC

The TSC are closely aligned with the following standards and frameworks:

What is in a SOC 2 audit report?

A SOC 2 audit report is designed to provide assurance to service organizations’ clients, management, and user entities about the suitability and effectiveness of the service organization’s controls that are relevant to security, availability, processing integrity, confidentiality, and/or privacy. The report is generally restricted-use for existing or prospective clients.

There are two types of SOC audits and reports:

  • Type 1 – an audit and report carried out on a specified date.
  • Type 2 – an audit and report carried out over a specified period of time, usually a minimum of six months.

A SOC 2 audit report includes:

  • An opinion letter;
  • Management assertion;
  • A detailed description of the system or service;
  • Details of the selected trust services categories;
  • Tests of controls and the results of testing; and
  • Optional additional information.

It also specifies whether the service organization complies with the AICPA TSC.

Who are SOC 2 audits designed for?

SOC 2 audits are targeted at organizations that provide services and systems to client organizations (for example, Cloud computing, Software as a Service, Platform as a Service).

The client company may ask the service organization to provide an assurance audit report, particularly if confidential or private data is being entrusted to the service organization.

If your organization provides Cloud services, a SOC 2 audit report will go a long way to establishing trust with customers and stakeholders. A SOC 2 audit is often a prerequisite for service organizations to partner with or provide services to tier-one organizations in the supply chain.

Who can perform a SOC audit?

A SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organization.

SOC auditors are regulated by, and must adhere to specific professional standards established by, the AICPA. They are also required to follow specific guidance related to planning, executing, and supervising audit procedures. AICPA members are also required to undergo a peer review to ensure their audits are conducted in accordance with accepted auditing standards.

CPA organizations may employ non-CPA professionals with relevant information technology and security skills to participate in preparing for a SOC audit, but the final report must be provided and issued by a CPA. A successful SOC audit carried out by a CPA permits the service organization to use the AICPA logo on its website.

SOC 2 Audit Readiness Assessment and Remediation Service

We are well prepared to help any organisation prepare for a SOC 2 audit.

The SOC audit process involves:

  • Reviewing the audit scope;
  • Developing a project plan;
  • Testing controls for design and/or operating effectiveness;
  • Documenting the results; and
  • Delivering and communicating the client report.

1. Readiness assessment

We assess your state of SOC 2 preparedness by evaluating the type of service you offer, the trust services categories applicable to that service and the security controls relevant to the delivery of the service. Among other things, we will examine and analyze your processes and procedures, system setting configuration files, screenshots, signed memos, and organizational structure.

2. Remediation

Once the shortfalls have been identified, IT Governance can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, defining control effectiveness measurements and metrics, or integrating your SOC 2 requirements into your ISO 27001-compliant ISMS (information security management system).

3. Testing and reporting

IT Governance has partnered with CyberGuard, a leading AICPA- and PCAOB (Public Company Accounting Oversight Board)-registered CPA audit organisation based in the US , which will perform the required testing and reporting.

IT Governance can assist with the full SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures through to testing and reporting, by virtue of its partnership with CyberGuard.

We facilitate the audit process and put the client in contact with our partners, which can deliver the audit at a fraction of the costs demanded by the Big Four accounting firms.

Contact us for more information

Why choose IT Governance?

IT Governance specialises in providing IT governance, risk management, compliance solutions and consultancy services, with a special focus on cyber resilience, data protection, cybersecurity, and business continuity.

In an increasingly punitive and privacy-focused business environment, we are committed to helping organizations protect themselves and their customers from the perpetually evolving range of cyber threats. Our deep industry expertise and pragmatic approach help our clients improve their defences and make key strategic decisions that benefit the entire organization.

IT Governance is duly recognised under the following frameworks:

  • CREST certified as ethical security testers.
  • Certified to Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
  • Certified to ISO 27001:2013, the world’s most recognised cyber security standard.
This website uses cookies. View our cookie policy