What Is A SOC 2 Report?

If your company works with multiple vendors, you’ve likely been asked to provide a SOC 2 report. A SOC 2 audit
requires service organizations to establish and follow strict information security policies and procedures around a company’s internal controls. SOC 2
SM audit reports are based on the AICPA Trust Service Principles (TSP), and each of the five principles have defined criteria which must be mapped to individual controls. If any criteria is not mapped to a specific control activity, then the report must address the exceptions, or SOC 2 controls need to be created and implemented.

Why SOC 2 Compliance Should Be Prioritized

In the wake of numerous high impact data breaches many organizations are strengthening their vendor management requirements for all their service providers — financial and nonfinancial. Any organization that provides services that involve the collection, storage, processing or transmission of information received from customers must ensure that their internal controls are secure. This includes any and all information technology and business process controls that touch customer data. It’s now become a common practice for customers of service organizations to request information about their service providers’ data controls from a SOC 2SM report. This empowers stakeholders (and their auditors) to easily evaluate vendors and maintain better oversight of the organizations that they do business with. During contract renewal periods, if they’re not careful, an organization could be at risk of being let go in favor of a vendor who has a SOC 2 report ready.

If you’ve been asked by a customer or prospect to provide a System and Organization Controls (SOC) 2 audit report, contact a Withum SOC specialist online, or give us a call at (609) 520-1188 and ask for Tony Chapman to discuss any of your questions or concerns.

What Does A SOC 2 Audit Report Cover?

The five SOC 2 control objectives (AICPA principles) include:

  1. Security
  2. Availability
  3. Processing integrity
  4. Confidentiality, and
  5. Privacy

SOC 2 compliance requires the Security section of the report to be completed, while the four other sections are optional. So, in layman’s terms, a service organization requesting a SOC 2 audit must include the TSP of Security. Then, depending on the services provided by the service organization,they can elect to add one or more of the additional four principles to the report. The SOC 2 is a restricted use report that can only be distributed to existing customers and their auditors.

The Two Types of SOC 2 Reports

Like the SOC 1 report, there are two types of SOC 2 audits —the SOC 2 Type I and the SOC 2 Type II report.

  • SOC 2 Type 1
    This report describes a vendor’s systems and whether or not their design is suitable to meet relevant AICPA trust principles
  • SOC 2 Type 2
    The Type 2 audit is extremely comprehensive, and it details the operational effectiveness of the vendor systems described in the Type I report

Who Can Perform A SOC 2 Audit?

In order to get a SOC 2 audit report, you’ll need to engage with an AICPA approved, third-party independent CPA. Withum has a team of SOC specialists that are trained and well-versed in the intricacies of SOC 2 compliance and the needs of our clients. To discuss your SOC 2 report needs with one of Withum’s SOC Specialists, contact us online.


SOC Audit Seal

  • aicpa-soc-audit-services


Anurag Sharma


Princeton, NJ - Corporate Headquarters

Stephanie Fitzgerald


Princeton, NJ - Corporate Headquarters