Skip to main content


SOC 2 (Service Organization Control 2) is a voluntary compliance standard for service organizations developed by the American Institute of CPAs (AICPA). When a CPA firm audits an organization for SOC 2 compliance, it assesses the company's controls and processes related to the five trust service principles.

  1. Security
    • Network and application firewalls
    • Intrusion detection
    • Two-factor authentication
    • Threat monitoring
    • Antivirus software
    • Employee security awareness training
  2. Availability
    • Performance monitoring
    • Disaster recovery
    • Incident handling
    • Backup procedures
    • Contingency plans
    • Business continuity plans
  3. Processing Integrity
    • Quality assurance
    • Process monitoring
    • Processing error handling
    • Data input validation
    • Data output reconciliation
    • Transaction tracing and auditing
  4. Confidentiality
    • Encryption
    • Access controls
    • Firewalls
    • Confidentiality agreements
    • Data classification
    • Data retention and disposal policies
  5. Privacy
    • Data collection policies
    • Data usage policies
    • Data retention policies
    • Disclosure and consent procedures
    • Access request procedures
    • Third-party data-sharing agreements

The CPA firm will review documentation, interview employees, and test controls to ensure the organization has appropriate policies, procedures, and technologies to meet the SOC 2 trust principles. The depth and specifics of the audit may vary depending on the service organization and the scope of the audit.

Links to This Note