SOC 2 engagements address controls at the service organization that relate to operations and compliance. SOC 2 reports specifically address one or more of the following key system attributes: security, availability, processing integrity, confidentiality, and privacy, which are Trust Services Principles. This is intended to be a report from the service organization’s management to its customers’ management (not auditor to auditor). There are two types of SOC 2 reports:

• Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
• Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Testing over a period of time is what distinguishes a Type 2 report from a Type 1. Type 1 reports are as of a point in time and typically are only performed in the first year of reporting, and then Type 2 examinations are performed thereafter.