A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the Trust Services Criteria – the security, availability, processing integrity, confidentiality, and privacy of a system.
A SOC 2 audit report provides user entities with reasonable assurance and peace of mind that the non-financial reporting controls at a service organization are suitably designed, in place, and appropriately protecting sensitive client data. Below, we explore the two types of SOC 2 audit reports.
How is a SOC 2 audit different from a SOC 1 audit? Watch our SOC 1 vs SOC 2 video or explore our guide to find out!
SOC 2 Type I vs. Type II: What’s the Difference?
Aspect
SOC 2 Type 1
SOC 2 Type 2
Objective
To assess the design of controls at a specific point in time.
To evaluate the operational effectiveness of controls over a period of time.
Focus on Time
Examines controls as of a specific date.
Examines controls over a minimum period of six months.
Nature of Audit
Point-in-time assessment.
Period-of-time assessment.
Evaluation of Controls
Assesses if the company’s controls are properly designed to meet the Trust Services Criteria.
Assesses both the design and the operational effectiveness of the controls.
Report Length
Generally shorter, as it only covers the design of controls at a single point.
Generally longer, as it covers the operation of controls over a period of time.
Usefulness
Useful for organizations that want to demonstrate they have a system in place with designed controls.
Useful for organizations that want to show their controls are not only designed properly but also operating effectively over time.
Audience
Potential clients, partners, and stakeholders interested in the design of controls.
Potential clients, partners, and stakeholders interested in the effectiveness of controls over time.
Frequency of Audit
Typically performed once as a preliminary assessment.
Performed annually or as required by stakeholders.
Cost
Generally less expensive due to the narrower scope.
More expensive due to the extended period of evaluation and more comprehensive nature.
Ideal For
Newer companies or those in the early stages of implementing a SOC program.
Established companies with mature controls looking to demonstrate effectiveness over time.
Report Content
Describes the systems and whether the design of specified controls meets the relevant Trust Services Criteria as of a specific date.
Includes the information in Type 1 and also describes the operating effectiveness of controls over a review period.
Trust Services Criteria
Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Certification Validity
No ongoing validity; it’s a snapshot in time.
Provides ongoing assurance about the system, valid for the duration of the audit period.
SOC 2 Type I and Type II both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II reports, but there is one key difference.
What is a SOC 2 Type I Report?
A SOC 2 Type I report—also written SOC 2 Type 1—is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.
What is a SOC 2 Type II Report?
A SOC 2 Type II report—also written SOC 2 Type 2—is an attestation of controls at a service organization over a minimum six-month period. SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.
During a SOC 2 Type II audit, the auditor will carry out field work on a sample of days across the testing period to observe how controls are implemented and how effective they are.
As you can see, the key difference between SOC 2 Type I and SOC 2 Type II reports is that Type II reports are conducted over a significantly longer period. This allows Type II reports to attest to control effectiveness, something that is not possible with the shorter Type 1 report, which can only attest to the suitability of design and implementation.
Which SOC 2 Compliance Report Is Right for Your Business?
As a CPA firm, we advise clients who are engaging in a SOC 2 audit for the first time to begin with a Type I and move on to a Type II the following audit period. This gives service organizations a good starting point and more time to focus on the description of their system, allowing them to mature their environment over time.
Start Your SOC 2 Audit Journey with KirkpatrickPrice Today
Many organizations are required to undergo a third-party SOC 2 audit, but we know this process can feel overwhelming. That’s why we’re here to partner with your organization from audit readiness to final report! If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, connect with one of our experts today.
You know you need to complete a SOC 1 audit but aren’t sure if you need a SOC 1 Type I or a SOC 1 Type II.
What sets them apart and which makes the most sense for your organization’s needs? Don’t let the complexities of SOC reports overwhelm you!
Below, we explore the importance of a SOC 1 audit report and compare the SOC 1 Type I vs Type II audit reports to help you decide which is best for your business needs.
What is a SOC 1 Audit?
A SOC 1 audit, or System and Organization Control 1 engagement, is an audit of internal controls at a service organization that may affect their clients’ internal control over financial reporting (ICFR). A SOC 1 audit report provides user entities with reasonable assurance and the peace of mind that the controls at a service organization are operating effectively and appropriately protecting client data.
There are two types of SOC 1 audit reports: SOC 1 Type I and a SOC 1 Type II.
What is a SOC 1 Type I Audit?
A SOC 1 Type I audit checks control design and implementation at a service organization at a certain time. It focuses on the effectiveness of these controls and whether they are suitably designed to achieve the intended objectives. This audit type provides a snapshot of the controls in place and their ability to safeguard client data and ensure the accuracy of financial reporting.
In a SOC 1 Type I audit, the auditor checks the control environment, risk assessment, control activities, information systems, and monitoring. They evaluate these controls for proper design and implementation to mitigate risks and ensure financial information integrity.
The resulting audit report covers the service organization’s system, the controls in place, and the auditor’s opinion on the suitability of these controls. It provides valuable information to user entities, such as clients and stakeholders, about the effectiveness of the controls and the level of assurance they can have regarding the service organization’s internal control over financial reporting.
What is a SOC 1 Type II Audit?
A SOC 1 Type II audit is an extension of the Type I audit, providing a more comprehensive evaluation of the service organization’s controls. While the Type I audit focuses on control design, the Type II audit assesses the operating effectiveness of these controls over a specified period, typically six to twelve months.
During a SOC 1 Type II audit, the auditor examines the service organization’s controls and processes to ensure they are not only designed appropriately but also implemented and functioning effectively. This involves testing the controls to determine if they are operating as intended and providing the necessary level of assurance.
Additionally, the auditor will review various aspects of the service organization’s operations, including its policies, procedures, and documentation. They will also conduct interviews with key personnel and perform sample testing to validate the controls’ effectiveness. This rigorous evaluation helps identify any weaknesses or deficiencies in the controls and provides recommendations for improvement.
The SOC 1 Type II audit report includes a detailed description of the service organization’s system, the controls in place, and the auditor’s opinion on the operating effectiveness of these controls. This report is valuable to user entities as it provides them with a higher level of assurance regarding the service organization’s internal control over financial reporting.
By undergoing a SOC 1 Type II audit, service organizations demonstrate their commitment to maintaining strong internal controls and providing reliable services to their clients. It gives clients and stakeholders confidence in the service organization’s ability to safeguard their financial information and mitigate risks.
SOC 1 Type I vs. SOC 1 Type II
Aspect
SOC 1 Type I Audit
SOC 1 Type II Audit
Time Frame
Specific point in time
Minimum six-month period
Evaluation Focus
Design and implementation of controls
Design, implementation, and operational effectiveness
Report Emphasis
Suitability of design and implementation of controls
Suitability and operational effectiveness of controls
Ideal Use
For initial assurance of control design and implementation
For comprehensive evaluation over a period
Benefits for Clients
Assures control design and implementation
Demonstrates consistent operational effectiveness
Purpose
The SOC 1 Type I Audit serves as a snapshot of control efficacy at a single moment.
The SOC 1 Type II Audit extends this scope over a minimum period of six months, offering a more comprehensive understanding of the organization’s operational control environment.
Focus
The SOC 1 Type I Audit evaluates the design and implementation of controls within the organization, ensuring they are suitably constructed and installed.
Alternatively, the SOC 1 Type II Audit delves deeper by additionally examining the operating effectiveness of these controls over time. This broader focus in the Type II audit provides a more in-depth analysis of how well the controls function in the day-to-day operations of the organization.
Report Contents
SOC 1 Type I Audit report details the controls as provided by the management of the service organization, attesting to their suitable design and implementation.
Conversely, the SOC 1 Type II encompasses all elements found in the Type I report, with the addition of an attestation to the operational effectiveness of the controls throughout the audit period. This inclusion in the Type II report offers a more thorough and dynamic understanding of the control environment.
Suitability
SOC 1 Type I Audits are ideal for organizations seeking to demonstrate their controls are appropriately designed and implemented. It’s a starting point for service organizations to showcase their control environment.
In contrast, the SOC 1 Type II Audit is more suited for organizations looking to not only prove the proper design and implementation of controls but also to affirm their consistent operational effectiveness over time. This makes the Type II audit a more comprehensive tool for organizations that wish to demonstrate an ongoing commitment to effective control management.
SOC 1 Type I vs Type II FAQs
When choosing a SOC 1 report type for your business, service organizations often have common questions during the SOC audit process. Below are the most common FAQs we receive.
Do I need a Type I or a Type II report?
The key difference between a Type I and Type II report is the attestation on the operating effectiveness of controls. A Type I report is an attestation about controls at a service organization at a specific point in time, and a Type II report is an attestation about controls at a service organization over a period of time.
Observing controls over a period of time allows for verification that controls are suitably designed and operating effectively – whereas a Type I report attests that controls are suitably designed and implemented.
Many questions about the SOC report types depend on what your client is asking for. If they are satisfied with a Type I report, you may elect to undergo that audit and stop there. If you’re undergoing these audits to be proactive, we recommend getting a Type II report – but this doesn’t always mean you skip the Type I.
Do I have to complete a Type I audit before a Type II audit?
It is not a requirement to go through a Type I audit before you go through a Type II audit – but it is our recommendation. Gaining a Type II attestation on your very first audit will be a difficult process for your team – you have to be prepared to show your policies, controls, objectives, and commitment to compliance, all while establishing that your controls have been operating effectively for at least six months.
Doing a Type I audit first helps you understand the SOC audit process. It also helps you set control goals, identify business issues, and find areas for improvement before completing the Type II audit. We have found that when a service organization rushes to get a Type II report, the final result isn’t as valuable as it would be if they were better prepared.
Do I need to complete a gap analysis before the Type I or Type II?
Whenever any organization goes through any audit for the first time, we strongly recommend starting with a gap analysis. By starting the SOC audit process with a gap analysis, our auditors can identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses compare what you’re doing to what regulations require of you. Once you receive the results of the gap analysis, your organization can remediate any identified gaps before the audit begins.
For a first time SOC audit, a basic audit map may be: a gap analysis first, then the Type I audit, then the Type II audit. If you elect to skip the Type I, you can still choose to go through a gap analysis before the Type II audit. In some cases, organizations have thought they should skip the Type I audit, but after receiving their gap analysis results, they thought it would be wise to undergo the Type I before the Type II.
What happens if I fail the Type I?
SOC audits do not operate on a pass/fail system, but instead provide reasonable assurance that their controls are suitably designed and operating effectively. Instead of passing or failing your organization, an auditor will issue a qualified or unqualified opinion.
Consider how an auditor would assess specific controls. Would an auditor find these controls suitably designed? Would we achieve reasonable assurance? If an auditor determines that a control was not in place or effective, then a qualified opinion would be issued.
This would sound something like, “Except for Control X, reasonable assurance is there. The controls have been suitably designed and operating effectively.” An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined.
Start Your SOC 1 Type I and Type II Audits Today with KirkpatrickPrice
Many organizations are required to undergo a third-party SOC 1 audit, but we know this process can feel overwhelming. That’s why we’re here to support your organization from initial assessment to final report.
If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, connect with one of our experts today. Our dedicated team will work closely with you to determine the most suitable SOC report for your organization’s needs.
The SSAE 18 (formerly SSAE 16), otherwise known as the SOC 1 report, is available in two types of reports: there’s a Type I Report, and a Type II Report. The Type I Report issues an attestation on the description of controls provided by management of the service organization, and there’s also an attestation that the controls are suitably designed and implemented. For a Type II Report, you have those two same sections in the report, plus an additional section that talks about the operating effectiveness of those controls over a period of time.
The Type II Report is concerned about that period of time, whereas a Type I Report is “as of a particular date.” So, your controls could be in place as of a particular date for a Type I Report, whereas for a Type II those controls must be in place and operating effectively over a period of time determined by you and the auditor that is involved in performing the engagement.
Implementing Internal Controls for SOC 1 Compliance
When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls.
For an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components of internal control in place and functioning, and implement the 17 COSO principles related to internal control outlined in the framework.
While we’ve already covered how organizations can meet the objectives of internal control, let’s take a look at the five components of COSO and what they mean for SOC 1 compliance.
What is the COSO Framework?
The COSO Framework is an industry-standard model for evaluating and implementing internal control systems within organizations. COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, a private-sector organization that develops frameworks and guidance on organizational governance, internal controls, risk management, and financial reporting.
The framework gives organizations a structure for managing risks and ensuring the reliability of financial reporting. It emphasizes the importance of internal controls, the procedures and processes organizations should use to safeguard assets, and improves the accuracy of financial records.
The 5 Components of COSO: C.R.I.M.E.
The five components of COSO – control environment, risk assessment, information and communication, monitoring activities, and existing control activities – are often referred to by the acronym C.R.I.M.E. To get the most out of your SOC 1 compliance, you need to understand what each of these components includes.
Control Environment
How has management implemented policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that your controls are operating effectively and are achieving the results that they expect?
Risk Assessment
How does your organization assess risk in order to identify the things that threaten the achievement of their objectives?
Information and Communication
How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive acknowledgement from those people that they understand what you’re asking them to do?
Monitoring Activities
How does management oversee the entire organization’s functionality? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as possible?
Existing Control Activities
What are the controls that you currently have in place? Were they in place and operating effectively over a period of time?
Who Uses the COSO Framework?
The COSO Framework is primarily used by two parties: organizations looking to improve internal controls and auditors assessing those controls.
Internal Control Enhancement
Businesses adopt the COSO Framework as a strategic tool to enhance and maintain effective internal control systems. The framework provides a comprehensive guide to creating policies, processes, and procedures to manage risks and ensure accurate financial reporting.
For example, the COSO Framework helps businesses establish a robust control environment by fostering an organizational culture emphasizing integrity, ethical values, and the importance of internal controls.
By following each of the five COSO: C.R.I.M.E. components and 17 COSO principles, businesses and other organizations can systematically implement controls that will help them successfully complete audits, including SOC 1 audits.
Internal Control Audits
Auditors use the COSO Framework as a structured benchmark to assess the design and operational effectiveness of an organization’s internal controls. It guides the auditor’s assessment of the reliability of financial reporting and other factors governed by industry standards and regulations.
What Is the Relationship Between the COSO Framework and SOC 1 Audits?
SOC 1 is an essential report for service organizations that manage financial transactions or related client data. A successfully completed audit gives businesses confidence that a service provider has effective controls in place.
When a service organization undergoes a SOC 1 audit, the auditors use the COSO Internal Control Framework to evaluate the effectiveness of its internal controls. They assess whether the controls are suitably designed, properly implemented, and effectively operated to safeguard the accuracy and integrity of financial data.
What Should Organizations Do When They Discover Non-Compliance with One or More COSO Components?
It’s crucial to act swiftly and methodically when your organization finds it is not compliant with COSO Framework components. The first step is a detailed assessment to identify the areas of non-compliance and understand the underlying reasons.
Once you have identified areas of non-compliance, you should:
Develop a Remediation Plan: Create a detailed plan outlining corrective actions, resource allocation, responsibilities, and timelines. The plan should prioritize actions based on impact and urgency.
Implement Changes: Execute the remediation plan, which may involve revising policies, enhancing training, introducing new control activities, or upgrading systems. Ensure that these changes are well-managed and that staff are adequately supported.
Monitor and Document: Continuously monitor the effectiveness of changes and maintain detailed documentation throughout the process for audit and compliance purposes.
Seek External Expertise if Needed: If the compliance issues are complex, consider consulting COSO Framework or SOC 1 experts for specialized guidance and insights.
Partner with KirkpatrickPrice on Your Compliance Journey
Security and compliance are intimidating topics whether you’ve been through a hundred audits before or if this is your first one. That’s why we’re here to help. Security and compliance don’t have to remain a mystery. When you work with an auditing firm that cares about your well-being and success, audits won’t seem as scary anymore. If you are ready to start your audit or want to learn more about the COSO Internal Control – Integrated Framework, connect with one of our experts today.
What is an Audit Scope and How Does it Impact an Audit?
Knowing where your assets reside and which controls apply to them are critical for any organization. Why? This is the only way you can manage and secure them from a potential data breach or security incident.
During the initial phases of a SOC 1 or SOC 2 audit, an auditor will walk you through defining the scope of your audit. What does that entail? Below, we define an audit scope, explore scope requirements, and help you determine the right scope for your business audit needs.
What Is an Audit Scope?
Defining an audit scope sets boundaries for the assessment by requiring organizations to outline anything that could otherwise impact the security of the protected information. Understanding the scope is crucial for both the auditors and the entity being audited, as it sets clear expectations and focuses the audit efforts.
Key Audit Scope Components
By clearly defining the audit scope, auditors and stakeholders can ensure the audit is focused, efficient, and aligned with the organization’s objectives. Below are some key components to include in your audit scope.
Extent of Examination: Specifies which departments or functions of the organization or which processes will be included in the audit.
Time Period: Identifies the specific duration or financial year(s) the audit will cover, such as a fiscal period.
Depth of Audit: Determines how thoroughly each area will be examined and if the audit will be a high-level overview or a detailed examination.
Objectives and Goals: Outlines what the audit aims to achieve, such as compliance verification, financial accuracy, or process effectiveness. It also anticipates potential recommendations, improvements, or corrective actions that may follow the audit.
Regulatory Framework: Includes any specific laws, standards, policies and procedures, or regulations that the audit is designed to assess compliance with.
Resource Allocation: Details the resources (like manpower, technology, documentation, and data) that will be dedicated to the audit.
Reporting: Defines what content is included in the audit results, how the findings are reported and formatted, and to whom they are delivered to.
How Do You Define the Scope of a SOC 1 or SOC 2 Audit?
When an organization partners with their auditor to define the scope of their SOC 1 or SOC 2 audit, they’ll typically answer questions, such as:
Which locations are involved?
Do you have any third parties? What services do they provide?
How many business applications and technology platforms are involved?
Which systems are involved?
What people are responsible?
Which processes focus on internal control over financial reporting?
How Can a Well-Defined Audit Scope Help Identify Potential Risks and Issues?
A well-defined audit scope identifies potential risks and issues within an organization. Targeted risk assessment focuses on specific areas where risks are most likely to be present. It also ensures the audit is not only efficient but also effective in pinpointing where attention is needed most.
Additionally, a clear audit scope allows for optimal resource allocation, directing efforts and resources to the areas that are of high risk, thereby maximizing the effectiveness of the audit process.
Clarity is another significant benefit, ensuring the audit’s alignment with the most relevant risk areas and critical issues are not overlooked. This alignment is essential for the audit to be truly effective in assessing and mitigating risks.
When mitigating risks, early detection of issues is critical. A focused audit scope helps identify problems at an early stage, allowing your business to take corrective actions in a timely manner. This proactive approach can prevent minor issues from escalating into major problems, saving the organization time and resources in the long run.
Lastly, a well-defined scope offers comprehensive coverage, ensuring the examination of all critical organizational areas without wasting resources on unnecessary or redundant areas. This thorough approach guarantees a complete and successful audit, covering everything and leaving no risk unnoticed.
Can Your Audit Scope be Too Broad or Too Narrow?
The scope of an audit can greatly impact the overall effectiveness. If the scope is too broad, an auditor could miss critical items during the assessment. If the scope is too narrow, an auditor might be unable to perform an accurate assessment or give an accurate opinion of an organization’s controls because some may have been left out.
This is why partnering with an expert, senior-level Information Security Specialist, like those at KirkpatrickPrice, is so critical. If you want to get the most out of your investment in a SOC 1 or SOC 2 audit, effective scoping is key.
Can the Scope of an Audit Vary for Different Organizations or Industries?
Yes, the scope varies significantly and depends on several elements, including:
Industry-Specific Requirements: Different industries have unique regulatory and compliance requirements influencing the audit scope.
Organizational Size and Complexity: Larger or more complex organizations may require a broader and more detailed audit scope.
Nature of Business Activities: Companies engaged in different activities (e.g., manufacturing vs. service) have distinct focus areas.
Risk Profile: Organizations with different risk exposures (financial, operational, technological) will have tailored audit scopes.
Previous Audit Findings: Past audit outcomes can influence the focus of future audits.
One of the very first things that you will do as part of your audit is work with your auditor on the definition of scope. You’ll go through a scoping process with us where we identify the policies and procedures, the people, and the locations. For example, is there application development that’s in scope? Where are those developers located? Where do they do their work? What cloud applications are involved in this? What part of that is or isn’t in scope? What IT resources are in scope? Are there parts of the network that should be included or excluded from the audit? We’ll go through that and define it because it is a very important step, and we have to know what the boundaries of the system are so that we can collect evidence from the appropriate people, processes, and technologies. Contact us today and enjoy working with one of our expert Information Security Specialists who will guide you through the scoping process.
Â
Starting an audit is overwhelming.
Our Audit Readiness Guide will tell you what you need to know.
You know you need an audit, but don’t know what to expect or how to get started. This guide will prepare you for what will be tested and how to confidently begin your compliance journey.
Get the Guide
SOC 2 Terminology
The Trust Services Criteria are a set of criteria established by the AICPA to be used when evaluating the suitability of the design and operating effectiveness of controls in a SOC 2 audit. There are five categories:
Security – Is the system protected, both physically and logically, against unauthorized access?
Availability – Is the system available for operation and use as agreed upon?
Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?
All organizations must be audited against the security category, but they can decide which of the other categories to include based upon their unique environments and service offerings.
In the AICPA’s updates to SOC 2 reporting in 2018, there were quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria are now strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.
An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy are now referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.
Common Criteria and Additional Criteria
The common criteria refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There is additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
The entity tests recovery plan procedures supporting system recovery to meet its objectives.
Work with KirkpatrickPrice to Meet Your SOC 2 Compliance Goals
For assistance deciding which categories best apply to your organization, or with help meeting your SOC 2 compliance goals, connect with one of our experts today!
There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.
