AICPA Trust Services Criteria (TSC) (SOC 2)

    Standards and Frameworks

    AICPA Trust Services Criteria (TSC) (SOC 2)

    American Institute of Certified Public Accountants

    The AICPA Trust Services Criteria (TSC) for SOC 2 reporting is intended to provide detailed information and assurance about controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy.

    Last Updated: July 30, 2019

  • General

    The SOC 2 reporting framework was introduced by the American Institute of CPAs (AICPA) and is one of the three System and Organization Controls (SOC) published by the AICPA. SOC 2 together with SOC 1 and SOC 3 provide a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.

    There are two types of reports under SOC 2: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

    SOC 2 reports can be used in oversight of an organization, vendor risk management system, internal corporate governance and risk management processes, as well as compliance with regulations.

    SOC 2 reports apply AICPA Trust Services Criteria (TSC) to evaluate controls over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity. The TSC are classified into five categories:

    • Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
    • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
    • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
    • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
    • Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

    In addition to the TSC criteria, a service organization may engage the service auditor to examine and report on additional subject matters with additional criteria. For example, a SOC 2 report may examine a service organization’s compliance with the HIPAA security requirements according to the security requirements set in the HIPAA Administrative Simplification (Code of Federal Regulations, Title 45, Sections 164.308–316).

    A SOC 2 report consists of a service auditor’s report on whether the entity maintained effective controls over its system according to the TSC. When an organization makes additional requests as to the subject matters and examine criteria, the service auditor would also examine and report on whether the additional subject matter is presented in accordance with the additional suitable criteria used to evaluate it. Any person can be the intended user of the report.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.