The SOC 2 (Service Organization Control 2) report is an examination of engagement performed by a service auditor in accordance with the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1). The intent of a SOC 2 report is to provide an understanding of the details of the processing and controls in-place at a service organization by testing the design of the controls and their operating effectiveness with the goal of instilling confidence and gaining trust in that service organization’s systems.
A core requirement for SOC 2 reporting is developing a description of the service organizations system, that is, a detailed and comprehensive narrative that describes the services provided along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
The report proves the design and operating controls for the Security and Availability Trust Service Principles were tested, and found to be suitably designed and operating effectively.