IT and Cybersecurity News

What is a SOC 2 Compliance Report and Why it Matters to Your Business

Written by Systems Engineering | January 01, 2024

When considering a managed service provider (MSP) for your business, it's important to evaluate their approach to securing sensitive data. Conducting due diligence to ensure that the MSP has the necessary controls in place to protect your sensitive information is highly recommended. Fortunately, a trustworthy MSP can demonstrate its commitment to security by providing an impartial third-party SOC 2 Report. This report is a voluntary annual review and can be a valuable source of information for establishing trust with an MSP.

What is a SOC 2? 

The evidence of an MSPs security culture would come from an annual “Service Organization Control” (SOC) Type 2 audit. This is a voluntary audit performed by an independent third-party Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). The audit covers five areas of concern that include:

  • SECURITY: The system is protected against unauthorized access (both physical and logical).
  • AVAILABILITY: The system is available for operation and use as committed or agreed upon.
  • PROCESSING INTEGRITY: System processing is complete, accurate, timely, and authorized.
  • CONFIDENTIALITY: Information designated as confidential is protected as committed or agreed.
  • PRIVACY. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability, and processing integrity are used to evaluate whether a system is reliable.

Each principle has a defined criteria or control that is measured against the Trust Service Criteria and must be met to demonstrate adherence.  The audit results either confirm or find exception with an organization’s design of its controls and the operating effectiveness of those controls.  When all standards are fully met, an auditing firm produces an “unqualified opinion,” which means no material exceptions were found.

Our SOC 2 compliance is not a one-time achievement; it requires ongoing monitoring and improvement. Each year, we undergo a SOC 2 audit to demonstrate our continuous commitment to actively manage and mitigate potential risks, ensuring our organization meets the standards dictated by the Trust Service Principles. Approved SOC 2 Compliance auditors visit our offices annually to review and validate the effectiveness of our internal controls. We strive to maintain the highest level of professionalism and responsibility for our clients, which is why we voluntarily undergo a review of our environment each year.  Although this audit is not required, we are committed to the annual examination so our clients know we can be trusted with their sensitive data and processes and reinforce our commitment to high standards of information security.

To learn more, email info@systemsengineering.com, or call 888.624.6737 to speak to a Systems Engineering representative.