Article

SOC 2+ FAQs: How to enhance SOC 2® compliance

Feb. 26, 2025 · Authored by Garrett Gosh, Kelly Bourbon, Jacob Mahkorn

Baker Tilly’s webinar, SOC 2+: Enhancing SOC 2 compliance with additional frameworks, took a deep dive into extending SOC 2 compliance by integrating frameworks like (Health Information Portability Accountability Act (HIPAA), International Organization for Standardization (ISO), Health Information Trust Alliance (HITRUST) and National Institute of Standards and Technology (NIST). We hope the questions from attendees and our responses are insightful for everyone.

Ready to discuss your compliance needs?

Connect with us

SOC 2 and SOC 2+ reports

If a company is Sarbanes-Oxley (SOX) compliant as part of an annual independent audit, will a SOC 2 or SOC 2+ report add any value?

It absolutely can and does. SOX is primarily focused on internal controls that can impact your financial reporting, meaning SOX controls are often “business” or “operational” in nature. Technical controls do come into play, but generally only to the extent that they relate to your financial reporting. SOC 2, on the other hand, still relates to your internal control environment but it is over the security, availability, confidentiality, processing integrity and/or privacy of the systems specific to your customers’ data.

Have you performed SOC 2 + Family Educational Rights and Privacy Act (FERPA)?

Garrett Gosh

Principal

Kelly Bourbon

Director

SOC 2+ FAQs: How to enhance SOC 2® compliance

Ready to discuss your compliance needs?

SOC 2 and SOC 2+ reports

If a company is Sarbanes-Oxley (SOX) compliant as part of an annual independent audit, will a SOC 2 or SOC 2+ report add any value?

Have you performed SOC 2 + Family Educational Rights and Privacy Act (FERPA)?

Garrett Gosh

Kelly Bourbon

Related sections

Do you see SOC 2 report requests for Artificial Intelligence (AI) applications? Is the final SOC report different?

AI appears to be getting added to SOC 2 reports. Are there anticipated frameworks to be added later?

What type of organizations should provide a SOC 2 report?

Is there any overlap between SOC 2 and New York State Department of Financial Services (NYDFS)?

What is Baker Tilly’s experience with Amazon Web Services (AWS) or Microsoft Azure supplying a SOC 2+ of their systems to their clients?

Are there limitations to what frameworks can be added to the SOC 2+?

Does a standard SOC 2 report that has availability, confidentiality or process integrity count as a SOC 2+?

HITRUST and other frameworks

How can you explain to organizations that a stand-alone HITRUST report isn't acceptable to satisfy compliance requirements since the assessment doesn't measure operating effectiveness of controls?

What is the main difference between HITRUST and SOC 2? With HIPAA information as a factor, how should an organization determine if they should do a HITRUST assessment or a SOC 2 assessment?

Can a HITRUST assessment be performed by a professional other than a CPA?

Is there a framework that an organization can implement that covers or maps to all other frameworks?

SOC 1® vs SOC 2

What is the difference between SOC 1 and SOC 2?

Similar to financial technology companies (fintechs), can SOC 1 and SOC 2 be combined into one report?

Is there a requirement that auditors have a CISA or other IT certification?

Specific compliance scenarios

Are law firms defending physicians, hospitals and insurance companies covered under HIPAA?

Why would I need a SOC 2 for a financial support system that is already accredited by a Certified Third-Party Assessor Organization (C3PAO) at the moderate level under NIST 800-171 requirements?