SOC 2 rapportage

SOC 2 distinguishes between a SOC 2 Type 1 and SOC 2 Type 2 statement.

  1. The SOC 2 Type 1 audit looks at how the organization plans to run its processes and control measures. This audit tests the existence of procedures and measures.
  2. The follow-up to the SOC 2 Type 2 report is and SOC 2 Type 2 audit. SOC 2 Type 2 Assurance involves testing whether the established procedures and controls have actually been followed.
  3. To maintain a SOC 2 Type 2 statement, an annual audit takes place, comparing whether the organization in question has worked in accordance with the procedures described and whether the measures worked effectively during the previous year. A SOC 2 Type 2 report gives existing and potential customers insight into the quality of IT services that IT service organizations provide to their users.

The SOC 2 Type 1 report provides an assessment of:

  • To what extent the description of the IT service organization's system, including internal control measures, faithfully represents reality, and
  • To what extent the design of the internal control measures is adequate.

The SOC 2 Type 2 report adds:

  • To what extent the internal control measures worked effectively over a period of time.