SOC 2 Report (AT 101)

Skoda Minotti Risk Advisory Services provides an affordable, efficient approach to SOC 2 compliance. We bring Big Four expertise without the expense to clients ranging from small private firms to Fortune 500 companies and specialize in assisting with first-time compliance.

A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing SysTrust and WebTrust principles. This report will have the same options as the SSAE 18 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 18 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. The criteria for these engagements are contained in the Trust Services Principles Criteria and Illustrations.
Organizations asked to provide an SSAE 18, but do not have an impact on their client’s financial reporting should select this reporting option.
SOC 2 reporting standard was created by the AICPA to fill the gap for organizations that were being requested to have a SSAE 18 but did not officially meet the criteria of what the SSAE 18 standards required.  The AICPA strategically created three different SOC reporting options to more closely align service organizations third party compliance. Now companies can obtain the correct and recognizable third party assurance report.

Who Should Obtain a SOC 2 Report?

Any organization that wants to put their information systems up against best practices to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy.  Many organizations are good candidates for a SOC 2 report and we provide services not limited to the following industries:

  • Hosting providers (web hosting, e-mail hosting, document storage, backup service providers, cloud computing, dedicated server, network administrators, and more)
  • Production printing (direct mail marketers, print and mail providers)
  • Software as a Service (SaaS)
  • Application Service Providers (ASP)
  • Health care service providers
  • Government service providers
  • And more….

*If you are a service provider and may potentially impact the control environment of one or more of your clients' financial reporting activities, you should consider a SOC 1 Report (SSAE 18).

How are We Qualified to Provide a SOC 2 Report?

By definition, since we are a licensed CPA firm we can provide SOC 2 reports since we are a member of and governed by the American Institute of Certified Public Accountants (AICPA).  However, we feel that not only should you have the CPA firm credentials but also the Information Technology expertise.  That is why at Assurance Concepts all of our field auditors are required to have a minimum of 5 years of information technology consulting experience and a technology based and recognized designation.  Our auditors have designations that include but are not limited to Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Management (CISM), Qualified Security Assessor (QSA) and more.

Why Skoda Minotti Risk Advisory Services?

Outside of our industry recognized qualification, we are the most flexible and adaptable audit firm in the world. The clients based on five of the seven continents we provide a global base of experience while maintaining the right structure to be adaptable in order to meet our ever changing client demands.  Assurance Concepts never puts your project on hold and is fully dedicatd to ensure you receive that first rate service we live by.

We do all this and deliver on the promise of:

  • Competitive and dynamic fee and invoicing structures
  • Ongoing regulation notifications and customer support
  • Secure technology project facilitators
  • High-quality professionals

SOC 2 — Criteria?

SOC 2 reporting criteria are identical to the Trust Services (click here to go to our trust services page) criteria.  The difference between a SOC 3 Report and the SOC 2 is the format of the deliverable. SOC 2 reports are virtually identical to SOC 1 reporting and provide detail report and testing procedures for your third parties to evaluate.  SOC 3 reporting is very limited reporting and only provide enough information to understand the scope and results of auditing. The meat of SOC 1 and 2 reporting is not provided in the SOC 3 options.

Call us for a free consultation and quote.

Skoda Minotti Risk Advisory Services

Our concept is to bridge the gap for our clients from wanting to comply to becoming compliant.  We understand the regulatory pressures and the demands of your customers requesting a SOC 2 report.  Each of our audits are customized and designed to assist your company in a seamless process from the time we initiate the audit to finalizing your SOC 2 audit report. All of our auditors have a depth of experience in a variety of industries and we have a good understanding of your business and how this relates to a SOC 2. Each SOC 2 audit report is unique and we provide the necessary related industry knowledge and SOC 2 expertise to deliver quality audit reports that your customers will accept.

As a large majority of audits are technical in nature, Skoda Minotti Risk Advisory Services will engage auditors with certifications such as CISSP, CISA, CISM, QSA, CIA in addition to CPAs onsite to complete your company’s audit. Call us today and find out how we can make your SOC 2 audit a successful one.


Assurance Concepts is now Skoda Minotti Risk Advisory Services. Click here to visit this page on our new website: SOC 2 Report (AT 101).

More Information