What Trust Services Principles are examined in a SOC 2 engagement? Describe the role of the criteria when evaluating these principles in a SOC 2 engagement.

What will be an ideal response?

---

As stated on the AICPA's website, SOC 2 engagements use the following five Trust Services Principles to
evaluate whether a system is reliable:
? Availability: Determines whether the system is available for operation and use as committed or
agreed.
? Security: Determines whether the system is protected against unauthorized access (physical and
logical).
? Processing Integrity: Determines whether the system processing is complete, accurate, timely, and
authorized.
? Confidentiality: Determines whether information designated as confidential is protected as
committed or agreed.
? Privacy: Personal information is collected, used, retained, and disclosed in conformity with the
commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted
Privacy Principles issued by the AICPA.
For each Trust Service principle there is a set of criteria, which specifies the attributes that the entity
must meet to be able to demonstrate that it has achieved the principle. A practitioner may provide a SOC 2 report related to a single principle (e.g., Availability) or all criteria in combination. The criteria
are used as by the Service Organization to measure and present the subject matter and as a benchmark
against which the CPA evaluates the subject matter. In order to receive an unqualified opinion, all
criteria for a principle must be met unless a specific criterion is clearly not applicable. The criteria are
organized in four broad categories: policies, communications, procedures, and monitoring. If one or
more of the relevant principles or criteria are not fulfilled, a CPA can issue a qualified or adverse report.
A SOC 2 report can be issued on any one or more of the five principles.