Article

SOC 2+ FAQs: How to enhance SOC 2® compliance 

Feb. 26, 2025 · Authored by Garrett Gosh, Kelly Bourbon, Jacob Mahkorn

Baker Tilly’s webinar, SOC 2+: Enhancing SOC 2 compliance with additional frameworks, took a deep dive into extending SOC 2 compliance by integrating frameworks like (Health Information Portability Accountability Act (HIPAA), International Organization for Standardization (ISO), Health Information Trust Alliance (HITRUST) and National Institute of Standards and Technology (NIST). We hope the questions from attendees and our responses are insightful for everyone.

Have you performed SOC 2 + Family Educational Rights and Privacy Act (FERPA)?

• To date, we have not issued a SOC 2+ with FERPA as an additional framework. In order to do so, ideally your “base” SOC 2 report should include the privacy category, as that is the subject matter of the FERPA regulation. From there, you could identify the additional controls/requirements needed to meet the FERPA regulation.

Do you see SOC 2 report requests for Artificial Intelligence (AI) applications? Is the final SOC report different?

• Baker Tilly has not yet fielded many SOC 2 report requests for AI applications. However, with the rise of AI technologies, we anticipate engaging with organizations to perform SOC 2 services over AI applications. Whether an in-scope system is a claims processing platform or an AI-driven enterprise data warehouse, the SOC 2 criteria does not change unless the AICPA updates it. However, here are some specific control areas to focus on when scoping in an AI platform to the SOC 2 criteria

Risk management: Ensure that risk management functions include risk evaluation and regulatory compliance of the AI platform

Data governance: Implement measures to protect sensitive data and comply with relevant data protection regulations

Model management and integrity: Establish processes for ensuring AI model data is accurate and complete (this would be important if the processing integrity criteria was in-scope for the examination).

AI appears to be getting added to SOC 2 reports. Are there anticipated frameworks to be added later?

• Possibly. While several AI frameworks exist; none have risen to the top to reign supreme. However, should your organization utilize AI in a significant way, and should your customers be interested in understanding the controls you have in place related to AI, it is likely that existing AI frameworks could be included as a supplemental framework in a SOC 2+ report.

What type of organizations should provide a SOC 2 report?

• Any organization handling sensitive information (e.g., Personally Identifiable Information (PII), Protected Health Information (PHI)) on behalf of customers and whose customers either contractually require a SOC 2 report or are regularly requesting the completion of security or risk questionnaires should consider a SOC 2.

What is the main difference between HITRUST and SOC 2? With HIPAA information as a factor, how should an organization determine if they should do a HITRUST assessment or a SOC 2 assessment?

• There are many differences between HITRUST and SOC 2. For instance, HITRUST is a certifiable framework whereas SOC 2 is an attestation report. In addition, HITRUST integrates multiple frameworks and regulations whereas SOC 2 is based on the Trust Service Criteria from the AICPA. As for determining whether to perform a HITRUST assessment or a SOC 2 assessment, it will vary from organization to organization. An organization should take into consideration contractual agreements in place with clients and third parties, as well as state, federal and international regulatory requirements. The HITRUST framework was initially developed for organizations that have to comply with HIPAA. A HITRUST validated assessment may be the right answer in this case because the HITRUST framework has become industry agnostic, HIPAA requirements can still be selected as in-scope for an assessment. For help navigating these complexities, contact us.

Can a HITRUST assessment be performed by a professional other than a CPA?

• HITRUST assessments do not have to be performed by CPAs. However, 50% of the hours worked on HITRUST validated assessments must be performed by a HITRUST Certified CSP Practitioner (CCSFP) or a Certified HITRUST Quality Professional (CHQP). Individuals can be certified through training and successful completion of an exam provided by HITRUST.

Is there a framework that an organization can implement that covers or maps to all other frameworks?

• Generally, NIST 800-53 is among the most comprehensive of the established information security frameworks. However, the chosen framework may not address all matters your customers or regulators deem relevant. The opposite may also be true: the chosen framework may be too comprehensive. Whichever framework your organization selects, customization may be required. For help navigating these complexities, contact us.

Similar to financial technology companies (fintechs), can SOC 1 and SOC 2 be combined into one report?

• Not always. Each report has its own purpose—a SOC 1 report is intended to include only those controls which are relevant to user entities’ internal control over financial reporting (ICFR). A SOC 2 report is intended to include the controls relevant to security, availability, confidentiality, processing integrity and/or privacy. While often similar, “business” or “operational” controls necessary in a SOC 1 do not always translate completely to the controls needed to meet the processing integrity criteria in a SOC 2. Said differently, the purpose of a SOC 1 report is to ensure user entities’ financial statements have correct numbers reported. Conversely, the purpose of a SOC 2 report with processing integrity is to ensure data processing integrity is in place; this may not translate to user entities’ ICFR accuracy. In addition, different user entities may have different contractual requirements. Lastly, financial statement auditors who are auditing the service organizations’ financial statements require a SOC 1 for their audit procedures and will not be able to leverage a SOC 2 (even with processing integrity included) for those purposes.

Is there a requirement that auditors have a CISA or other IT certification?

• No, but to sign the opinion in a SOC report, the practitioner must be a Certified Public Accountant (CPA). However, in addition to the CPA credential, many Baker Tilly practitioners are Certified Information Systems Auditors (CISA), Certified Information Technology Professionals (CITP) or hold another IT or information systems-focused credential. Connect with us.

Why would I need a SOC 2 for a financial support system that is already accredited by a Certified Third-Party Assessor Organization (C3PAO) at the moderate level under NIST 800-171 requirements?

• While there are many overlapping control areas (e.g., access controls, risk assessment, security operations) between NIST 800-171 and SOC 2, the key difference between the two engagements is a SOC 2 requires an independent CPA firm to perform an examination and the resulting SOC 2 report contains the CPA firm’s audit opinion. Whereas the NIST 800-171 special publication being assessed by the C3PAO is just that; an assessment and does not include a formal audit opinion. Understanding what your organization, as well as your organization's clients (including government entities), prospective clients and vendors are requiring will help determine whether a SOC 2 examination is needed in addition to a NIST 800-171 assessment.