What is a SOC 2 Report? Well, if your company handles customer data, especially in the cloud, you’ve probably been asked for a SOC 2 report. If not, then you probably aren’t B2B or are very new to this. (Why are you here!?). Well, a SOC 2 Report is an audit of your infrastructure that is done by a CPA firm. It’s technically not a certification, although you will here people call it that. It’s actually an independent attestation audit that can only be done and issued by a licensed CPA firm. The report is meant to show that shows your company has controls in place to protect systems and data. Basically, folks in vendor management or your prospective clients, across wide varieties of companies will want one (or would like to see one) and they will review the report for how your company handles data.
The SOC 2 Report is designed for service providers like SaaS companies, cloud platforms, managed IT services, and data centers. Generally, the report is done to help your clients achieve their vendor management or procurement due diligence requirements that they may have over who maintains their data. Generally, SOC Reports can help give more trust to your clients as you are now “independently audited” and if done correctly, the reports may also shorten vendor due diligence assessments that your GRC/Compliance/Security/IT teams are probably familiar with by now.
There are two types of SOC 2 reports:
- SOC 2 Type I looks at whether your controls are designed properly as of a specific date. This is generally the type of report a company new to SOC 2 will first get as it shows you have implemented controls while you begin the period (that will be later tested) for your type II report.
- SOC 2 Type II goes further and looks at the design of the controls that was done in the type I but further evaluates whether the controls are working as intended over time, usually over a period of several months. Unless you are new to the compliance reporting process or its a very new scoped in system, generally speaking, most reports will always be a Type II.
Type I vs. Type II
A Type 1 SOC report is like the glamorous wedding photo, showing that everything looked perfect at a single moment in time. A Type 2 SOC report is like doing laundry together six months later, showing that the relationship and the controls actually work in real life. Read more on the differences between each type of report.
Why it all matters?
Proving your systems to an independent assessment helps gain client trust. Moreover this can help win larger clientele who may require such assurance reports for their due diligence. Many companies, especially larger ones, expect a Type II SOC 2 report before they’ll do business with a vendor. The end result is a report from an independent CPA firm that describes your environment and internal controls and how they meet the selected criteria.
Unlike certifications with a fixed checklist, SOC 2 is based on a set of flexible criteria called the Trust Services Criteria (TSC), developed by the AICPA. The history of the criteria and how they map to COSO, and everything involved with COSO and its principles is a fun audit/GRC rabbit hole in itself.
You can think of the TSC as a rulebook of the criteria (sometimes called common criteria) that apply broadly rules on which trust service categories you include in your audit. These criteria have categories that are focused on how your company manages risk and protects systems and data. Generally, you would want to have in-scope the areas that your customers care about or perceive as a risk to their operations when they are using you as a vendor. There are five possible categories/areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
None of them are strictly required, but Security is commonly included because it covers general protections like access controls and system monitoring that are relevant to most services. Organizations select the TSCs that align with the risks they manage and the needs of their customers, allowing the report to reflect what matters most for their environment.
1. Security
This is typical and common to see in any SOC 2 Report. The Security TSC is all about protecting information and systems. This focuses on preventing unauthorized access. It includes things like firewalls, authentication, and system monitoring. The security TSC covers the basic controls that protect systems and data from unauthorized access, such as firewalls, multi-factor authentication, and intrusion detection. Security is a foundational criteria seen in SOC 2 reports.
2. Availability
This relates to whether your systems are up and running when customers need them. It includes performance monitoring, disaster recovery, and incident response. A cloud-based electronic health records (EHR) platform would likely include the Availability Trust Services Criteria in its SOC 2 report. Healthcare providers rely on constant access to patient records for critical care, so the system must have strong uptime commitments, disaster recovery processes, and performance monitoring in place to meet those expectations.
3. Processing Integrity
This covers the accuracy, completeness, and timeliness of data processing. It’s especially important for systems that automate transactions or provide data outputs. If its a system where customer are expecting payments/records to be processed accurately, completely, and in the correct order. Controls like input validation, transaction logging, and reconciliation processes help ensure that the system functions as intended without errors or delays.
4. Confidentiality
Probably the second most popular TSC after Security. Confidentiality is all about protecting sensitive information such as business plans, financials, or trade secrets. Typically its where you have IT systems offering services or platforms that store sensitive customer documents, contracts, and case files that must be protected from unauthorized access.Encryption, strict access controls, and secure data transmission help ensure that only authorized users can view or handle confidential information.
5. Privacy
This deals with how you collect, use, store, and dispose of personal information. It’s particularly important if your service handles personally identifiable information (PII). Unlike Confidentiality, which protects sensitive business information from unauthorized access, Privacy focuses on how personal data is collected, used, stored, and shared in accordance with the organization’s privacy notice and applicable laws. Controls for Privacy include user consent management, data minimization, and procedures for handling user data requests or deletion.
Most companies start by focusing on Security, then add other areas depending on customer expectations or the type of data involved. For example, a healthcare company might also include Privacy, while a payment processor might focus more on Processing Integrity and Confidentiality. Generally, it depends on the type of services offered and what risks your customers are concerned with.
Why SOC 2 Compliance Matters
Getting SOC 2 compliant helps you build trust with your customers and shows you’re serious about protecting their data. It shows that you have put the right controls in place and that those controls have been independently tested. For any company handling sensitive information, it’s a meaningful step toward being more transparent, reliable, and aligned with what clients expect. If you’re thinking about a SOC 2, we can help you get started. Clicking around on the buttons on this site should steer you towards contacting us. Let us know if you need assistance or have any questions on getting a SOC 2 Readiness assessment.
At Sage Audits, We Work With You
We know audits can be overwhelming. Our goal is to make the process smoother, more understandable, and less stressful. We stand beside you with practical guidance—not just paperwork.
Whether it’s your first SOC 2 or a renewal, we’re here to help you get through it confidently and with real value. – Jordan Novak, Managing Partner
