For service organizations operating in regulated markets (such as FinTech, Healthcare, or Government), a standard SOC 2® report often needs to be supplemented by other compliance verifications. Our specialized team helps you leverage a single examination to address the Trust Services Criteria (TSC) and the control objectives of an additional framework, resulting in one efficient, powerful report.
A SOC 2®+ examination is an extension of the standard SOC 2® report. It is performed under the SSAE 18 standard but includes additional criteria, controls, and testing procedures specific to another authoritative compliance framework (the "Plus"). Common "Plus" inclusions are HIPAA (for healthcare entities), ISO 27001, or other relevant criteria. The report provides assurance over the core TSC (Security, Availability, etc.) and validates that your systems meet the requirements of the chosen external standard.This examination is critical for organizations that handle sensitive customer information. The resulting SOC 2® report provides objective assurance that your service is designed and operating effectively to protect the data of your user entities.
The SOC 2®+ report is the ideal solution for service organizations facing diverse and complex compliance demands, providing a path toward consolidated reporting that replaces the need for multiple, separate assessments. By directly addressing specific control requirements mandated by industry regulations—such as the HIPAA Security Rule—this approach ensures you meet regulatory demands while demonstrating the highest level of commitment to security and adherence. This enhanced posture not only attracts and retains enterprise clients in regulated markets but also yields significant cost and time savings by reducing the overall internal effort, expense, and disruption typically associated with managing parallel compliance initiatives.
While the SOC 2® examination itself is typically a market requirement, the need for the "Plus" element is driven by specific contractual obligations or regulations related to the data you handle. For example, if you process Protected Health Information (PHI), your Business Associate Agreement (BAA) may mandate verification against HIPAA.
The process is similar to a standard SOC 2® but involves a more rigorous scoping phase to incorporate the second framework. Completing a SOC 2®+ requires partnering with a specialized firm like Auditwerx. The core phases are Readiness, Evidence Gathering, and Reporting, all integrated to cover both sets of control criteria simultaneously.
A SOC 2®+ examination provides a strategic advantage by transforming multiple compliance requirements into a single, cohesive assurance program. By combining control testing under one engagement, you can leverage significant overlap between frameworks.
A single, integrated engagement drastically reduces the overall cost of compliance compared to running two or more separate assessments (e.g., conducting a SOC 2® and a HIPAA verification back-to-back).
Testing is standardized across both the TSC and the external framework (e.g., HIPAA). This eliminates conflicting interpretations of control requirements and ensures unified documentation across your organization.
With thorough planning, we minimize the number of times your team is required to gather evidence and dedicate resources to external assessors. Your employees can remain focused on core business functions throughout the year.
The integrated report provides a comprehensive, single-source view of your risk posture, satisfying both data security/availability concerns (SOC 2®) and specific regulatory requirements (Plus framework) in one document.
The type of SOC 2®+ report you pursue depends on the level of assurance your regulated clients require.
Report Type | Focus of the Examination | Assurance Provided | Key Use Case |
Type 1 | Design of Controls | Opinion on the suitability of the design of controls as of a specified date against all combined criteria. | Provides a quick snapshot that controls are properly designed to meet all criteria. Used for initial reporting to win key contracts. |
Type 2 | Design AND Operating Effectiveness | Opinion on the suitability of the design and the operating effectiveness of controls over a specified period (typically 6 to 12 months) against all combined criteria. | Provides the highest level of assurance, confirming continuous compliance with both SOC 2® and the “Plus” framework. Preferred by regulated clients. |
Our methodology focuses on clarity and integration, ensuring minimal disruption while securing a high-quality report that satisfies multiple compliance needs.
Integrated Scope & Criteria Definition: We define the in-scope services, systems, and select the relevant Trust Services Criteria (TSC), plus the specific control requirements of the external framework (e.g., HIPAA Security Rule controls). This combined scope is documented in the System Description. Your organization is responsible for selecting the relevant Trust Services Criteria (TSC)
Gap Assessment: We perform a preparatory assessment to identify control deficiencies (gaps) against both the TSC and the external framework. Through this process we identify any gaps you may have in your control environment and provide insights as to how this may impact your assessment.
Report Type Selection: We guide you in selecting the appropriate report type: Type 1 (control design as of a specific date) or Type 2 (operating effectiveness over a period).
Evidence Collection: Our team efficiently gathers evidence to satisfy controls required by both the TSC and the external framework (e.g., using one access review log to satisfy both SOC 2® Security Criteria and HIPAA requirements).
Control Testing: We test samples of your control activities over the specified period (for a Type 2 report). This testing verifies the operating effectiveness of controls against the combined requirements of the SOC 2® criteria and the “Plus” framework.
Report Drafting: Our senior team drafts the comprehensive SOC 2®+ report, which clearly addresses all criteria, providing management’s System Description, our description of tests performed, and the results of our integrated testing.
Opinion Issuance: We issue our final opinion on the fairness of the System Description and the operating effectiveness (Type 2) of the controls against all selected criteria. The final report is delivered for distribution to your regulated clients and partners.
Choosing Auditwerx for your SOC 2®+ examination gives you a distinct advantage. Our simple SOC 2®+ process makes it easy for any size organization to meet the requirements of multiple frameworks.
We are proud to be an independent firm with no conflicts of interest in completing your report.
We focus only on controls and evidence that will score points in the final assessment.
Partner with a single firm throughout your entire compliance lifecycle. Our findings are objective and have no conflicts of interest.
Our U.S. based team of assessment professionals are never outsourced.
200+ years of collective experience translates to the most efficient path to certification, saving you time and money.
We offer flexible integration with leading GRC tools, so you don't have to duplicate evidence.
The requirement for a SOC 2®+ report is mandatory for organizations handling data that is subject to specific federal or international regulatory oversight, such as Protected Health Information (PHI) or complex financial data.
Serving the HealthTech Ecosystem The SOC 2®+ report is tailored for the diverse HealthTech landscape, supporting SaaS platforms for EHR and telemedicine, as well as medical billing and coding entities handling sensitive financial and diagnostic data. It also provides essential validation for healthcare-focused managed service providers protecting ePHI in the cloud and pharmaceutical organizations managing PHI during clinical research. By unifying these standards, SOC 2®+ ensures that every link in the healthcare supply chain maintains the highest levels of security and regulatory compliance.
Organizations that require both general security assurance (SOC 2® TSC) and compliance with specialized regulatory mandates like GLBA or FFIEC guidance.
Companies based in the U.S. that process the data of European Union citizens (requiring GDPR criteria integration) or multinational organizations targeting ISO 27001 alignment.
Any authoritative set of control requirements can be included. The key advantage of the SOC 2®+ report is combining the foundational security assurance of the Trust Services Criteria (TSC) with external regulatory frameworks, which eliminate redundant testing. The most common “Plus” frameworks are:
HIPAA (Health Insurance Portability and Accountability Act): For entities handling Protected Health Information (PHI).
HITRUST Common Security Framework (CSF): For comprehensive risk-based security and compliance.
NIST SP 800-53: For government contractors or organizations needing a high degree of assurance over system security beyond NIST SP 800-171.
ISO 27001: For organizations needing international Information Security Management System (ISMS) assurance.
The choice depends on your contractual and regulatory obligations:
Choose standard SOC 2® if your clients require assurance primarily around core technology security, availability, or confidentiality, and do not impose specific regulatory compliance demands (like HIPAA).
Choose SOC 2®+ if you operate in a regulated industry (e.g., healthcare, finance) and need to satisfy the TSC and specific regulatory control requirements simultaneously.
A standard SOC 2® report only covers the AICPA’s Trust Services Criteria (TSC). A SOC 2®+ report includes the TSC plus an additional set of compliance criteria from a specific regulatory framework (like HIPAA, HITRUST, or GDPR). The SOC 2®+ provides a single, unified opinion that satisfies two sets of requirements, maximizing assurance with one examination.
No. If you are a Business Associate handling electronic Protected Health Information (ePHI), you are legally required to comply with the HIPAA Security, Privacy, and Breach Notification Rules. A standard SOC 2® report alone does not provide assurance over the specific HIPAA controls. You must specifically pursue a SOC 2®+ and a HIPAA report to satisfy both client demands and regulatory requirements.
Similar to the standard SOC 2®, most regulated clients and business partners require a new SOC 2®+ Type 2 report annually. This ensures continuous assurance regarding the operating effectiveness of your controls against all included frameworks over the specified period.
The Trust Services Criteria (TSC) forms the foundational framework for every SOC 2® examination. They define the specific control objectives against which your system’s design and operating effectiveness are assessed. For a SOC 2®+ engagement, this foundation is expanded to include a second set of authoritative requirements tailored to your industry. The selection process dictates the entire scope of the report and the controls that will be tested.
The system is protected against unauthorized access (both physical and logical).
The system is available for operation and use as committed or agreed.
System processing is complete, accurate, timely, and authorized.
Data designated as confidential is protected as committed or agreed.
Personal Identifiable Information (PII) is collected, used, retained, disclosed, and disposed of in conformity with the entity’s commitments and the criteria set forth in the Generally Accepted Privacy Principles (GAPP).
…Both operations and assessment teams executed the engagement flawlessly, on-time and on-budget. The Auditwerx team provided us with the necessary guidance, tools and knowledge...We would highly recommend Auditwerx services to organizations of all sizes and requirement complexities.
...Their team has brought a level of knowledge and professionalism that has been unmatched. Our company is required to undergo a number of assessments annually with various firms and Auditwerx has truly been a pleasure to work with...
...The assessment itself was thorough, but non-disruptive. The team was highly professional and very knowledgeable. We recommend Auditwerx...without reservation.
As part of your overall compliance and assurance strategy, we offer examinations for the entire SOC report family. We can help you determine which report is right for your user base, whether they require financial assurance (SOC 1®) or security and operational assurance (SOC 2® and SOC 3®).
Identifies control gaps and provides a roadmap before the formal examination begins, saving time and money.
Assurance for financial systems like payroll, claims, or loan processing.
Assurance over core technology, security, and operational controls (common for SaaS, hosting, and data centers).
A brief, general-use report that can be publicly distributed (it does not include detailed control testing).
Our handy guide, “Adding it Up: What Type of SOC Report Do I Need?” is a great starting point to determine what kind of SOC report best fits your company’s business and compliance needs.
When you’re ready to speak with an experienced team member about your reporting needs, Auditwerx will be here for you.
When you’re ready to start your PCI compliance journey, our experienced team will be here to walk you through the entire process, from assessment readiness to your final report.
Fill out this form to schedule a free, no-obligation consultation with an experienced team member.
Tell us a little about what you need, and our team will schedule a no-pressure conversation. No obligations, just answers you need.
Form issues? Contact us directly at [email protected].
