A "Systems and Organizational Controls" (SOC) audit is used when an organization needs to attest to the security of their organization for a third-party. A SOC 2 Audit is performed by an accountant certified by the American Institute of Certified Public Accountants (AICPA).
A SOC2 can be used to attest to any of the following principles:
-
Security. The system is protected against unauthorized access, use, or modification
-
Availability. The system is available for operation and use as committed or agreed
-
Processing Integrity. System processing is complete, valid, accurate, timely, and authorized
-
Confidentiality. Information designated as confidential is protected as committed or agreed
-
Privacy. The system's collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization's privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CPA Canada.
When working with third parties, it is appropriate and reasonable to ask for the third party's SOC 2 attestation report. Similarly, when you are the third-party, a successful SOC 2 report typically puts an end to security questions as it is clear that your organization has invested in security.
For more information on this topic please reach out to us; we're here to help!