SOC 2

SOC 2 (Service Organization Control 2) is a voluntary compliance standard for service organizations developed by the American Institute of CPAs (AICPA). When a CPA firm audits an organization for SOC 2 compliance, it assesses the company's controls and processes related to the five trust service principles.

1. Security
   • Network and application firewalls
   • Intrusion detection
   • Two-factor authentication
   • Threat monitoring
   • Antivirus software
   • Employee security awareness training
2. Availability
   • Performance monitoring
   • Disaster recovery
   • Incident handling
   • Backup procedures
   • Contingency plans
   • Business continuity plans
3. Processing Integrity
   • Quality assurance
   • Process monitoring
   • Processing error handling
   • Data input validation
   • Data output reconciliation
   • Transaction tracing and auditing
4. Confidentiality
   • Encryption
   • Access controls
   • Firewalls
   • Confidentiality agreements
   • Data classification
   • Data retention and disposal policies
5. Privacy
   • Data collection policies
   • Data usage policies
   • Data retention policies
   • Disclosure and consent procedures
   • Access request procedures
   • Third-party data-sharing agreements

The CPA firm will review documentation, interview employees, and test controls to ensure the organization has appropriate policies, procedures, and technologies to meet the SOC 2 trust principles. The depth and specifics of the audit may vary depending on the service organization and the scope of the audit.