AICPA Service Organization Control Reports - SOC 2

Our SOC 2 program is current as of 2022. Some images may show AICPA SSAE 18 TSP Version 2016. AICPA is busy releasing SOC 2 for specific industries. Learn more by participating and staying current at the AICPA.

No SOC No Service

 “If your company currently uses third-party vendors to provide services that include the collection, processing, and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type 2 audit, as it helps to ensure a higher standard for protecting your data.” Jeanne Madden, Vice President Operations, ADP Tax Credit Services

EnterpriseGRC Solutions participates in the development of content for GRC and Security products.  EnterpriseGRC professionals implement a full stack of products and platforms necessary to a nimble Security Architecture.  

  • Customers and prospects demand a SOC 2 Type II report covering actual effectiveness of your core product systems.
  • Your evidence could reveal a lapse in security which may need to be disclosed.
  • Was your service down for any significant time?
  • Was the data processed effectively?
  • Did your application continually encrypt data over the audited timeframe?
  • External auditors share how well your systems, software, and procedures worked with actual data collected across a specified timeframe.
  • Findings in the report become the subject of conversation with all of your customers. These findings require remediation in order to maintain existing business.
  • In today’s cloud economy, customer due diligence has gone from nice to have to mandate.  


Customers demand evidence of reliable controls before placing their trust and dependency on service organizations. One of the most widely accepted ways to earn trust is the AICPA SOC 2 Type II report, aka, the TSP 100.  Trust Services Principles (TSP) are professional attestation containing essential criteria-based information for assessing controls. When engaged in reporting, however, determination of suitable and continuous evidence is time-consuming and sometimes impossible. Beyond the cost of third-party advisory services, the disruption that SOC 2 engagement can heap across your organization is both substantial and avoidable.

EntrpriseGRC Solutions Security and Compliance offers system-based controls mapping to align enterprise technology to the criteria of the TSP 100, making failure and success in IT controls continuously available to this reporting process.

Recently updated with enhanced privacy controls, (released in April of 2016), Trust Principles set out by the AICPA enable companies to limit exposure in reliance on third parties and is especially necessary when doing business with organizations falling under FISMA and SEC regulation. Third party vendor risk management often prevents business from placing a dependency on any MSP, SaaS, IaaS, or PaaS provider who has failed or is not yet engaged to successfully complete a SOC 2 report. 

soc 21

Main Menu