Loading...

SOC 2+: Enhancing SOC 2® compliance with additional frameworks | Baker Tilly

soc 2 compliance

Webinar

SOC 2+: Enhancing SOC 2® compliance with additional frameworks

Feb. 26, 2025 · Authored by Garrett Gosh, Kelly Bourbon, Jacob Mahkorn

Cybersecurity risks and technological threats become more evolved – and more dangerous – every day, putting questions surrounding client data security, transactional process integrity and data availability during potential downtimes at the heart of successful risk management. System and Organizational Controls (SOC) 2 and SOC 2+ examinations can help address these critical issues.

In this recent webinar, Baker Tilly SOC specialists broke down SOC 2+ preparedness, pros, cons and authoritative guidance use cases.

A SOC 2 refresher

As SOC 2+ builds upon the original framework of SOC 2 with additional components, it is important to first begin with an understanding of SOC 2 and how the two differ.

SOC 2 is a framework that evaluates a service organization’s ability to protect data belonging to its user entities (i.e., customers). It focuses on the security, availability, confidentiality, processing integrity and privacy of the customer data in the system. This evaluation is performed by an independent Certified Public Accountant (CPA) firm which provides a reasonable assurance opinion over the design, implementation and operating effectiveness of the internal controls.

A SOC 2 is:

An examination providing reasonable assurance
Intended to promote trust between a service organization and its user entities
Inclusive of an opinion provided by an independent CPA firm

And a SOC 2 is not:

Absolute assurance
A guarantee that commitments made to customers are met
A one-size-fits-all report
A replacement for internal controls

Garrett Gosh

Garrett Gosh

Principal

Baker Tilly Professional Kelly Bourbon

Kelly Bourbon

Director

Related sections

Pros and cons of a SOC 2+ examination

According to the American Institute of Certified Public Accountants (AICPA) SOC 2 guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (paragraph 1.71), in some situations, two separate engagements with two separate reports may better serve the user’s needs compared to a SOC 2+ engagement. In such cases, management and the service auditor may work together to determine the type of engagement and report that would best meet the user’s needs. Our collaborative approach helps ensure that the chosen engagement aligns with the organization’s objectives and provides the necessary assurance to stakeholders.

When deciding whether to pursue SOC 2+, your organization should consider several factors to help ensure the proper course of action. SOC 2+ may or may not be the best option when “assurance” over multiple frameworks is required to satisfy contractual obligations with customers or adhere to regulatory requirements. While SOC 2+ can reduce audit fatigue and satisfy multiple requirements at once for broadly applicable controls, it is a longer, more complex report that will result in higher fees compared to a standalone SOC 2.

Baker Tilly can help you determine which approach is best for your organization. Connect with us.

AICPA examination guidance use cases

While the guidance for categorizing SOC is issued by the AICPA, it isn't the only type of examination an organization may complete. The AICPA defines three types of examinations: assertion-based, direct and compliance. These examinations share three important characteristics: they all provide reasonable assurance, they must be conducted by an independent CPA, and they are designed with risk and materiality in mind.

Although differentiating between these examinations may seem complex, the general purpose of each is the same: to assess whether criteria are being followed. For example, in an assertion-based examination, your auditor will provide an opinion on the fairness of management's assertion regarding compliance. In a direct examination, rather than management's assertion of compliance, your auditor will examine the criteria directly to form a professional opinion, rather than relying on management’s assertion. The third type, a compliance examination, evaluates an organization's compliance with requirements often necessitated by governmental agencies seeking to determine an organization’s eligibility for grants or funding.

Regardless of the examination type, if your organization is being asked to validate whether certain criteria are met, an examination may be the correct course of action.

Connect with our risk advisory team