AT101 ( SOC2 )

More information


About AT 101 ( SOC2 )

A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing Trust Services Principles, Criteria and Illustrations (SysTrust and WebTrust). This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. Organizations asked to provide an SSAE 16, but do not have an impact on their client’s financial reporting should select this reporting option.

SOC 2 reporting standard was created by the AICPA to fill the gap for organizations that were being requested to have a SAS 70 (now SSAE 16) but did not officially meet the criteria of what the SAS 70/SSAE 16 standards required. Until now there was really only one recognizable audit due to SAS 70 being the defacto standard audit for all service organizations. When SAS 70 was replaced by SSAE 16 on June 15, 2011, the AICPA strategically created three different SOC reporting options to more closely align service organizations third party compliance. Now companies can obtain the correct and recognizable third party assurance report.

Who Should Obtain a SOC 2 Report?

As a service provider you need to guarantee your customers that your IT controls are aligned, designed and applied effectively to its control objectives. Also, any organization that wants to put their information systems up against best practices and those who may use this report to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy. Many organizations are good candidates for a SOC 2 report and we provide services not limited to the following industries:

  • Hosting providers (web hosting, e-mail hosting, document storage, backup service providers, cloud computing, dedicated server, network administrators, and more)
  • Production printing (direct mail marketers, print and mail providers)
  • Software as a Service (SaaS)
  • Application Service Providers (ASP)
  • Health care service providers
  • Government service providers
  • And more….

Note: if you are a service provider and may potentially impact the control environment of one or more of your clients financial reporting activities you should consider a SOC1 ( SSAE 16 ) report.

How are We Qualified to Provide a SOC 2 Report?

Beyond being qualified as a CPA firm authorized to perform SOC 2 engagements, ControlCase Attestation Services (an independent ControlCase subsidiary), we are Information Technology experts, that is why at ControlCase Attestation Services all of our field auditors are required to have a minimum of 5 years of information technology consulting experience and a technology based and recognized designation. Our auditors have designations that include but are not limited to Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Management (CISM), Qualified Security Assessor (QSA) and more.

Why ControlCase Attestation Services?

Outside of our industry recognized qualification we are the most flexible and adaptable audit firm in the world. The clients based on five of the seven continents we provide a global base of experience while maintaining the right structure to be adaptable in order to meet our ever changing client demands. Assurance Concepts never puts your project on hold and is fully dedicated to ensure you receive that first rate service we live by.

We do all this and deliver on the promise of:

  • Competitive and dynamic fee and invoicing structures
  • Ongoing regulation notifications and customer support
  • Secure technology project facilitators
  • High quality professionals

SOC 2 Criteria?

The difference between a Trust Services (SOC 3 Report) and the SOC 2 is the format of the deliverable. SOC 2 reports are virtually identical to SOC 1 reporting and provides detail report and testing procedures for your third parties to evaluate. SOC 3 reporting is very limited reporting and only provide enough information to understand the scope and results of auditing. The meat of SOC 1 and 2 reporting is not provided in the SOC 3 options.