What is a SOC 2 Report and Why it is Necessary to your Firm



The Service Organization Control (SOC) 2 report demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s non-financial control objectives and activities and has rigorously tested those controls for operational effectiveness.

A SOC 2 report demonstrates the extensive security and reporting controls that an IT vendor or provider must have to protect confidential data. SOC requirements are based on the following Trust Service criteria (TSC):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability: Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Every SOC 2 report does not address or attest to all these criteria; however, it does speak to the completeness and rigor of an organization’s IT system (as it relates to that specific criteria), with Security being the most frequently audited criteria.

Sounds impressive, but why is this important to my firm?

SOC 2 reports come in the following types:

  • Type I: This report provides a “snapshot” of the design of the security controls of an organization’s system as of a specific day.
  • Type II: offers a more in-depth report that thoroughly examines security controls of an organization’s system over a period of time (typically six to twelve months). Type II reports are often seen as a complete form of attestation.

Your data is highly sensitive and confidential. In today’s world, it’s imperative to partner with an IT Service provider that has obtained this highest level (SOC2-Type II) report. Afinety is committed to increasing our security posture and that of our clients.

How does this impact my firm?

By working with a SOC 2-Type II attested partner, you are assured that your data is kept secure by implementing standardized controls defined in the AICPA Trust Service Criteria (TSC) framework.

With the Afinety Cloud Platform (ACP), client data is encrypted in transit and at rest in AWS or Citrix. Backups are performed daily. Numerous other safeguards are in place, such as firewalls, monitoring, and redundancy. Additionally, our client’s servers are protected with Nextgen Managed Detection and Response (MDR) Solution from SentinelOne (Complete + Vigilance). This robust security solution provides 24×7 monitoring of all servers hosted in ACP. This solution uses Artificial Intelligence (AI) to help identify malicious acts in real-time.  

The SOC 2-Type II report confirms that the ACP meets or exceeds the most stringent security measures that align with the industry standards and best practices, as set by the AICPA. SOC 2 -Type II guarantees the implementation of internal controls for security over a significant amount of time. The requirements and security measures are constantly monitored, evaluated, and updated to reflect changing needs and offer the safest environment for conducting business. Afinety met the AICPA standard with zero exceptions or qualifications, the highest security standard set by the organization.

Cloud solutions and networks developed by other organizations that do not offer a SOC 2-Type II audit report do not provide the same level of assurance.

Afinety’s security services consistently evolve to ensure that we offer current and tested solutions to protect our client’s data and systems. Contact us to learn more about SOC 2-Type II and what questions to ask your current provider.