So what goes into a SOC 2 report, anyway?
There are five trust services criteria (TSC) that can be included in a SOC 2 report: security, availability, confidentiality, processing integrity, and privacy. Amanda Parnigoni, manager for BARR’s attest services team, explains each criteria so you can better understand what categories you should include in your audit. Let’s dive in.
Notably, the availability, confidentiality, processing integrity, and privacy TSCs are optional. These additional criteria are not required to have a complete SOC 2 report, but can be useful additions. Typically, an entity will add additional criteria when there is a business need or when a customer requires them to highlight the processes and procedures surrounding one or more of these areas.
Including additional criteria does come at a higher cost and involves additional control activities, but most audit firms can and will highlight existing controls from the security category to help clients achieve the additional criteria, making it less of a hassle. Adding additional criteria, when necessary, can be a great way to add value and build trust with customers.
That said, a common mistake we see is companies piling on additional criteria without a business need. An example could be a company wanting to add the privacy TSC, even though they don’t maintain personal information within their system. This creates more work for the organization when the payoff may be minimal to the customers.
Ready to learn how BARR can help you simplify the path to security and compliance? Contact us today!
Amanda Parnigoni
Manager, Attest Services
As a manager for BARR’s Attest Services, Amanda Parnigoni is responsible for leading and executing technology risk readiness assessments and audits, including SOC 1, 2, and 3. She is experienced in evaluating risk and IT controls for clients in various highly regulated industries.
Prior to joining BARR, Amanda was a Senior Associate at Marcum LLP, where she also served as a member of the diversity, equity, and inclusion task force. She holds a bachelor’s degree in business administration from the University of New Hampshire.
This blog post was originally published September 13, 2023 and has since been updated to reflect new content.