System and Organization Controls (SOC) 2 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.
SOC 2 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
The SOC 2 report concludes with the independent third-party audit firm's opinion, which describes the organization’s system and assesses the fairness of the organization's description of controls. The audit firm’s opinion also evaluates whether the organization's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.