Download (813K; Free to Members Only)
Purchase the E-book
Purchase the Book
Provide feedback on this document
Visit the Service Management Knowledge Center community
SOC 2 is a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. This guide is intended for those evaluating a service organization’s SOC 2 report as part of a governance, risk and compliance (GRC) program; vendor assessment; security evaluation; business continuity plan or other control evaluation. It may also be useful to those considering requesting a SOC 2 report from an existing vendor that does not currently provide a report or a new vendor as part of the due diligence or request for proposal (RFP) process. Specific users of this guide might include:
- Management of the user entity
- Those in procurement and contract negotiation
- Those overseeing vendor management
- Practitioners evaluating or reporting on controls at a user entity
- Independent auditors of user entities
- Regulators
- Those performing services related to controls at the service organization, such as a service auditor reporting on controls at a user entity that is also a service provider to other user entities
AICPA and ISACA have jointly released this guide to provide user entities with the information they need when interpreting the SOC 2 reports received from service organizations. This guide also complements the companion white paper titled New Service Auditor Standard: A User Entity Perspective available at www.isaca.org/service-auditor-standard.