Understanding the Five Principles of SOC Type 2 Audit

C.

Under the SOC guidelines, when any of the four principles other than security are being audited, which includes availability, confidentiality, processing integrity, and privacy, the security principle must also be included with the audit.

SOC 2 (Service Organization Control 2) reports are a type of report that evaluates the effectiveness of a service organization's controls over security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 report is based on the Trust Service Criteria (TSC) developed by the American Institute of Certified Public Accountants (AICPA). The TSC includes five principles that are considered essential for evaluating the controls of a service organization. These principles are:

1. Security: The system is protected against unauthorized access, both physical and logical.

2. Availability: The system is available for operation and use as agreed upon.

3. Processing integrity: System processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information that is designated as confidential is protected as committed or agreed.

5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.

To answer the question, one of the five principles must be included when auditing any of the other four principles. The principle that must be included is Security.

Security is a fundamental principle that underpins the other four principles. For example, to ensure the confidentiality of data, appropriate security controls must be in place to prevent unauthorized access. Similarly, to ensure the availability of a system, security controls must be in place to prevent denial-of-service attacks or other security incidents that could impact the system's availability.

Therefore, when auditing any of the other four principles (Availability, Processing integrity, Confidentiality, and Privacy), the principle of Security must also be included to ensure that the controls in place adequately address security risks and threats.