SOC® 2

Strengthen your customer’s confidence in your service organization with SOC 2.

While a SOC 1 Report revolves around financial reporting controls, a SOC 2 Report (System and Organization Controls 2 Report) focuses on non-financial controls relevant to the AICPA Categories:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

A SOC 2 is designed for service providers — such as Enterprise IT Outsourcing Services, Managed Security, Customer Support, Healthcare Claims Management & Processing, and FinTech Services —  to share information with their clients about the effectiveness of their controls related to operations

Schedule a consultation

Our SOC 2 Services

SOC 2 Readiness

This overview is designed to help the service organization prepare for the SOC 2 examination by identifying deficiencies, gaps, and other potential red flags, along with coaching so management can understand their options to repair them.

SOC 2 Type 1

A SOC 2 Type 1 Report expresses an opinion on the system description and the design of controls placed into operating as of a point in time. Simply put, this report tells your clients, prospective clients, and their auditors that you accurately represented the description of your system of control and describes the controls related to the AICPA Categories that have been placed into operation as of a point in time to meet your service requirements.

SOC 2 Type 2

A SOC 2 Type 2 Report expresses an opinion on the system description, the design of controls placed into operation and includes whether controls operated effectively throughout a historical period of time. This is typically a twelve-month period. Thus, in addition to what a Type 1 Report addresses, this report incorporates an additional step that 360 Advanced tested the controls and shares the results of those tests.

Purpose

The SOC 2 Type 2 assessment includes a description of the controls, the tests performed, the results of those tests, and an overall opinion on the functional design and operational effectiveness of those controls.

Scope

A SOC 2 Type 2 Report covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy. The report also includes a mapping of the controls tested to ISO/IEC 27001:2013 Annex A / ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, HIPAA security requirements, and FFIEC’s examination guidelines for GLBA Information Security.

Frequency

SOC 2 Type 2 Audits are performed annually.

SOC 2+ Hybrid

A SOC 2+ takes the design of controls from a SOC assessment and adds in additional controls from other security frameworks to show compliance on a singular report.

Purpose

SOC 2+ reports provide an independent third-party opinion on the design and operating effectiveness of controls relevant to meet other compliance frameworks combined with the SOC 2 controls.

Scope

Additional subject matters and controls that can be included in a SOC 2+ include: HITRUST, HIPAA, and CSA STAR.

Frequency

SOC 2+ Audits are performed annually.

Learn more about SOC Reports with our free guide.

Download Our Guide to SOC Reports

See what our clients are saying about us.

The one thing that sticks out more than anything else is the audit readiness they provide before the audit process starts. I appreciated the coaching and mentoring we received so we were well prepared for the audit. 360 Advanced always answer their phones, whether for quick issues or questions. And, they are not nickel and diming us – we paid one fee and they are still assisting us post audit.

SAM FRENCH
Vice President and Chief Information Officer
R.C. Giltner Services, Inc.

I think the strength of SSA16 accreditation compliance has been such an advantage for us, allowing us to improve our processes, provide oversight and have our customers see the difference. The SOC examination has exceeded our wildest dreams. We are communicating this as part of our sales process and now it’s a requirement in nearly all the RFPs. We’ve won every single bid we submitted on since we received compliance. We think that is the key differentiator.

EXECUTIVE
Audit Services Company

You deserve a conversation, not a questionnaire.

We build long-term relationships through trust and value. If you’re looking for a trusted business advisor to build your holistic compliance strategy, let’s chat!