SOC 2 Background Checks: What It Means When Your Screening Provider Is Compliant
Legal & Compliance

SOC 2 Background Checks: What It Means When Your Screening Provider Is Compliant

Learn how SOC 2 background checks ensure security compliance and why selecting the right screening provider matters for organizations.

Created by

Charm Paz, CHRP
Charm Paz, CHRP Recruiter & Editor

Background checks enter the SOC 2 picture as a personnel security control under the Security Trust Services Criterion, giving auditors documented evidence that access to customer data and critical systems was managed at the human level, not just the technical one. This guide covers what that actually requires from a screening provider, why it matters when selecting one, and what FCRA demands alongside it.

Key Takeaways

  • SOC 2 stands for System and Organization Controls 2, an attestation framework developed by the AICPA that evaluates whether a service organization's controls adequately protect customer data.
  • When a background screening provider holds SOC 2 Type II attestation, it means an independent auditor has verified that the provider's security controls were designed appropriately and operated effectively during the review period. A Type I report covers design only, without evaluating whether controls operated consistently over time.
  • Background checks are not explicitly mandated by the SOC 2 framework. They are a personnel security control that supports the Security Trust Services Criterion, and auditors examine them as evidence of control design and operating effectiveness.
  • SOC 2 personnel security controls extend to contractors, vendors, and third-party personnel with system or data access, not only to direct employees. A screening provider that understands this builds programs that cover the full workforce, not just payroll.
  • FCRA applies to every background check ordered through a consumer reporting agency, regardless of whether the check is being ordered to satisfy a SOC 2 requirement or any other compliance obligation.
  • A SOC 2-aligned background check program requires more than completed checks. It requires a written policy, defined personnel categories, documented check components, consistent application, and an audit trail demonstrating operating effectiveness over time.
  • When your organization is under SOC 2 scrutiny, auditors will examine your screening vendor as part of your vendor risk management controls. A provider with SOC 2 attestation gives you documented evidence to satisfy that review.
  • Working with a SOC 2-compliant screening provider means the provider's own controls have been independently evaluated, giving your organization a defensible answer when customers, auditors, or enterprise procurement teams ask about your screening program's security posture.

What SOC 2 Is and Why It Matters for Background Screening

SOC 2 Defined: System and Organization Controls 2 and the AICPA Framework

SOC 2 stands for System and Organization Controls 2, a framework developed by the American Institute of Certified Public Accountants that evaluates whether a service organization has the right controls in place to protect customer data. When a vendor holds SOC 2 attestation, a licensed CPA firm has audited that vendor's control environment and issued a report documenting whether those controls were designed appropriately and operated effectively.

That report comes in two forms. A Type I report evaluates whether controls were designed correctly at a specific point in time. A Type II report evaluates whether those controls actually worked consistently over a defined review period, typically six to twelve months. For most enterprise procurement and vendor risk management requirements, customers want to see a Type II report because it demonstrates that the vendor's program operated in practice, not just on paper.

For HR professionals and procurement teams evaluating background screening providers, SOC 2 attestation is one of the most meaningful signals of operational security maturity. It means the provider has subjected its own systems, processes, and personnel controls to independent third-party scrutiny, and that scrutiny has produced a documented audit opinion covering the review period.

The Five Trust Services Criteria and What They Mean for a Screening Provider

SOC 2 organizes its requirements into five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only one required in every SOC 2 engagement. The others are included based on what the organization has committed to its customers.

For a background screening provider, each criterion carries direct operational relevance. Security governs whether the provider controls who has access to the sensitive personal data it processes. Confidentiality addresses how that data is protected from unauthorized disclosure. Privacy governs how personal information is collected, used, retained, and disposed of. A screening provider that has achieved SOC 2 attestation across these criteria has demonstrated to an independent auditor that its handling of candidate data meets a defined and tested standard.

Why SOC 2 Auditors Examine Personnel Security Controls

When auditors examine a screening provider's SOC 2 controls, they are not only looking at the checks the provider runs on candidates. They are examining the provider's own internal personnel security program: who has access to candidate data, whether those individuals were screened before receiving that access, and whether access controls operated consistently throughout the review period. The evidence auditors examine includes:

A screening provider that holds SOC 2 Type II attestation has already answered these questions under independent audit. That answer is documented and dated, and providers typically share their reports with prospective customers under a non-disclosure agreement as part of the vendor due diligence process.

How Background Checks Map to the Security Trust Services Criterion

The Personnel Security Control Requirements Background Checks Satisfy

The Security TSC requires organizations to demonstrate that they control who gets access to their systems and customer data. For a screening provider, that means demonstrating that its own employees and contractors with access to candidate records were screened before receiving that access, and that the screening program operated consistently throughout the audit period.

The check itself is not the control. The control is the program behind it: the written policy, the defined scope, the consistent execution, and the paper trail. An auditor testing this control will pull a sample of personnel records from the review period and ask to see proof that screening happened before access was granted.

Which Personnel Categories SOC 2 Controls Apply to

SOC 2 personnel security controls apply to any individual with access to customer data or production systems, regardless of employment classification. For a screening provider, that means not just full-time employees but also contractors, consultants, and any third-party personnel with access to the systems that process your candidates' sensitive personal information.

A provider that screens only its direct employees has a gap in its SOC 2 personnel security program that auditors will find. When evaluating a provider's SOC 2 attestation, confirm that the scope of their personnel security program explicitly covers all individuals with access to candidate data. The categories auditors most commonly examine include:

What a SOC 2 Audit Actually Evaluates

Assessment TypeWhat Auditors Examine
Design effectivenessWritten personnel security policy defining covered categories, check components, timing requirements, and contractor scope
Operating effectivenessBackground check completion records matched to hire dates, onboarding records, and access provisioning dates
Exception handlingDocumentation of any delayed or waived checks and the approval process used
Contractor coverageEvidence that third-party and contractor screening requirements were applied consistently alongside the employee program

Operating effectiveness is where most programs fail under audit. A well-written policy that was not consistently followed during the review period still produces a finding. When a provider presents a clean Type II report, the program held up under exactly this kind of scrutiny.

What a SOC 2-Aligned Background Check Program Actually Includes

Check Components Most Commonly Examined in SOC 2 Personnel Security Control Reviews

SOC 2 does not prescribe specific check components. It requires evidence of a risk-appropriate screening program whose choices were deliberate and consistently applied. The components most commonly included in SOC 2 personnel security programs for organizations handling sensitive data include:

When evaluating a provider, asking specific questions about program scope and check components is a reasonable part of due diligence.

Documentation and Policy Requirements That Make a Program Auditable

Completed checks without a documentation trail do not satisfy SOC 2 operating effectiveness standards. The documentation requirements auditors examine include:

For HR teams evaluating providers, this documentation standard translates directly into a vendor due diligence question: can the provider show you the policy, the coverage scope, and the audit trail that an independent auditor has already reviewed?

Check Frequency and Re-Screening in a SOC 2-Aligned Program

A background check run at hire and never revisited creates a coverage gap that grows every year. SOC 2 auditors will ask whether the organization's policy addresses re-screening and whether the program followed that policy throughout the review period. Most SOC 2 personnel security programs address this through defined periodic cycles for high-access roles, trigger-based re-screening when role changes expand access scope, or continuous criminal monitoring enrollment for roles where waiting until the next scheduled check is not acceptable. A provider that applies these standards to its own workforce demonstrates that it understands post-hire risk, not just pre-hire screening.

Contractor and Third-Party Personnel: The SOC 2 Screening Gap Most Organizations Miss

Why SOC 2 Controls Extend Beyond Direct Employees

Most SOC 2 personnel security programs start with full-time employees and never explicitly address contractors or vendor personnel. That gap is almost always unintentional, but auditors find it. A contractor with production database access presents exactly the same data security risk as a full-time employee with the same access, and SOC 2 treats them identically.

For organizations evaluating a background screening provider, this is directly relevant. The provider's engineering, support, and data operations teams may include contractors with full access to candidate records. A provider whose SOC 2 attestation covers only direct employees has left a material portion of its access population outside the audited control.

Vendor Management Controls in the Security TSC

The Security TSC includes requirements around how organizations manage risk from vendors and business partners, particularly those whose personnel interact directly with the organization's systems or customer data. These requirements ask for evidence that vendor risk was assessed and that controls were applied proportionally to that risk.

For organizations selecting a background screening provider, this cuts both ways. Your own SOC 2 auditor may examine your screening vendor as part of your vendor risk management controls, making the provider's attestation status directly relevant to your own audit. Additionally, a provider that holds SOC 2 attestation has already demonstrated to an independent auditor that it manages its own vendor and contractor risk appropriately.

How Provider-Side Contractor Screening Affects Your SOC 2 Posture

When a screening provider uses contractors with access to candidate data, those contractors fall within the scope of your vendor risk. A provider that maintains a single, unified FCRA-compliant screening workflow for all its personnel categories demonstrates both SOC 2 rigor and FCRA discipline. The practical due diligence question is straightforward: does the provider's SOC 2 attestation cover all personnel with access to candidate data, and can they show you the scope documentation that confirms it?

FCRA Compliance in SOC 2 Background Check Programs

Why FCRA Applies Regardless of the SOC 2 Compliance Driver

When background checks are ordered through a consumer reporting agency, FCRA applies. It applies regardless of why the check is being ordered. A SOC 2 requirement does not create an exemption.

FCRA defines a consumer report to include background check information communicated by a consumer reporting agency and used for employment purposes, covering criminal history searches, identity verifications, employment verifications, and other check components regardless of whether they are delivered as a single report or individual search results. The compliance driver does not change the statutory obligation. Ordering checks to satisfy an auditor is still ordering checks under FCRA.

A screening provider operating within a SOC 2 framework must still maintain full FCRA compliance infrastructure. SOC 2 attestation does not substitute for FCRA compliance, and both represent independent obligations a provider must satisfy simultaneously.

FCRA Obligations That Apply to Every Check in a SOC 2 Program

Every background check ordered through a CRA requires three things, regardless of whether it is being ordered for SOC 2 purposes or any other reason:

A screening provider that can walk you through these obligations clearly is demonstrating the compliance literacy that a SOC 2 framework requires and that your organization needs from a screening partner.

How FCRA Non-Compliance Creates Dual Liability Inside a SOC 2 Program

FCRA non-compliance in a SOC 2 background check program does not just create a regulatory problem. It creates an audit problem at the same time, because the documentation gaps FCRA non-compliance produces are the same gaps SOC 2 auditors test.

FCRA non-compliance creates two independent categories of liability: regulatory and civil liability under FCRA, including statutory damages, actual damages, attorney's fees, and in willful cases, punitive damages; and audit and attestation risk under SOC 2, where missing disclosure records and incomplete adverse action documentation are exactly the kinds of procedural gaps auditors look for when testing operating effectiveness. Both obligations are independent, and satisfying one does not substitute for satisfying the other.

What to Look for in a SOC 2-Compliant Screening Provider

hr professional working at her laptop

Policy and Documentation Standards

A screening provider's SOC 2 attestation is only as meaningful as the program behind it. A SOC 2-aligned personnel security policy covers: the personnel categories subject to screening and the basis for that determination; the check components included and the rationale for each; the timing requirement relative to access provisioning; the re-screening and ongoing monitoring approach; the exception handling process and approval authority; the contractor and third-party screening requirements; and the FCRA compliance requirements that apply to every check ordered through a CRA. A provider that can speak to each of these elements and point to the relevant sections of its SOC 2 report is demonstrating the compliance architecture your organization needs.

Coverage, Components, and Frequency Standards

Design DimensionStandard
CoverageAll personnel with access to customer data or production systems, regardless of employment classification, including contractors and third-party personnel
Minimum check componentsCriminal history search (national database + county-level verification), identity verification, sex offender registry search (all states)
Role-appropriate additionsEmployment verification, education verification, professional license check, federal criminal search for elevated-access roles
Re-screening frequencyAnnual or biennial for high-access roles; trigger-based for role changes that expand access scope
Continuous monitoringRecommended for roles where the between-check gap presents material risk

A provider whose own program meets these standards has applied the same rigor to its internal operations that it asks its customers to apply to theirs.

Ongoing Monitoring as a Signal of Continuous Compliance Maturity

SOC 2 Type II attestation is not a one-time achievement. It is evidence of a program that ran consistently throughout a sustained review period. A provider that addresses ongoing monitoring and re-screening in its personnel security program demonstrates attention to post-hire risk, not just onboarding compliance.

That monitoring program must comply with FCRA, including the disclosure and authorization requirements that apply before enrollment. If a monitoring alert is used as a factor in any covered employment action, including termination, reassignment, or a material change in employment or engagement terms, the FCRA adverse action process applies.

Conclusion

SOC 2 attestation in a background screening provider is not a marketing badge. It is documented, independently verified evidence that the provider built a personnel security program that held up under audit, covered everyone with access to candidate data, and maintained that program consistently over time. For HR professionals and procurement teams selecting a screening partner, it is one of the clearest signals that the provider applies the same compliance discipline to its own operations that it is being trusted to apply to yours.

Frequently Asked Questions

Are background checks required for SOC 2 compliance?

SOC 2 does not mandate specific background check requirements. Background checks are a personnel security control that supports the Security Trust Services Criterion. Auditors examine whether the organization has a documented, consistently applied screening program covering personnel with access to customer data and critical systems. Organizations without a defensible program will face findings against the personnel security controls in the Security TSC.

What background checks should a SOC 2 program include?

SOC 2 does not prescribe specific check components. Most SOC 2 personnel security programs include a criminal history search with national database and county-level verification, identity verification, employment verification, and a sex offender registry search across all states. Additional components may be appropriate based on the sensitivity of the role and the access scope of the individual. The program should be documented in a written policy and applied consistently.

Does SOC 2 require background checks on contractors and vendors?

SOC 2 personnel security controls extend to any individual with access to customer data or production systems, regardless of employment classification. Contractors, consultants, and vendor personnel with direct system or data access fall within the scope of the Security TSC personnel security controls. Programs that screen only direct employees and exclude contractors leave a gap that auditors will identify in operating effectiveness testing.

How often should background checks be renewed for SOC 2 compliance?

SOC 2 does not specify re-screening intervals. Most defensible programs define periodic re-screening cycles for high-access roles, trigger-based re-screening for role changes that expand access scope, and continuous criminal monitoring as an option for roles where the between-check gap presents material risk. The re-screening approach should be documented in the written personnel security policy and applied consistently throughout the Type II review period.

Does FCRA apply to background checks run as part of a SOC 2 program?

Yes. FCRA applies to any background check ordered through a consumer reporting agency for employment purposes, regardless of the reason the check is being ordered. A SOC 2 compliance requirement does not create an exemption. Every check in a SOC 2 personnel security program ordered through a CRA requires a standalone written disclosure, written authorization, and the full adverse action process if the result influences a negative employment decision.

What documentation do SOC 2 auditors look for in a background check program?

Auditors examine the written personnel security policy, check completion records matched to hire dates and access provisioning dates, documentation of any exceptions and the approval process, and evidence that the program covers contractors and third-party personnel as well as direct employees. For Type II engagements, auditors test operating effectiveness over the review period, meaning consistent application throughout the period is required.

What is the difference between SOC 2 Type I and Type II for background check programs?

A SOC 2 Type I report evaluates control design at a point in time. A Type II report evaluates both control design and operating effectiveness over a defined review period, typically six to twelve months. Type I requires evidence that the program was designed appropriately. Type II requires evidence that the program ran consistently throughout the review period, including check completion records, re-screening events, and contractor screening documentation.

Can FCRA non-compliance affect a SOC 2 audit finding?

FCRA non-compliance can contribute to a SOC 2 audit finding when the documentation gaps it creates, such as missing disclosure records, absent authorization forms, or incomplete adverse action documentation, are the same gaps auditors test when assessing background check program operating effectiveness. An auditor who finds that procedural documentation is incomplete may identify those gaps as control deficiencies regardless of whether the underlying checks were completed.

Additional Resources

  1. AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
    https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
  2. Background Checks: What Employers Need to Know (FTC / EEOC Joint Guidance)
    https://www.ftc.gov/tips-advice/business-center/guidance/background-checks-what-employers-need-know
  3. EEOC Enforcement Guidance: Consideration of Arrest and Conviction Records in Employment Decisions
    https://www.eeoc.gov/laws/guidance/enforcement-guidance-consideration-arrest-and-conviction-records-employment-decisions
  4. NIST Special Publication 800-53: Personnel Security Controls (PS Family)
    https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  5. FTC Using Consumer Reports: What Employers Need to Know
    https://www.ftc.gov/business-guidance/resources/using-consumer-reports-what-employers-need-know
Charm Paz, CHRP
ABOUT THE CREATOR

Charm Paz, CHRP

Recruiter & Editor

Charm Paz is an HR professional at GCheck, specializing in background screening, fair hiring, and regulatory compliance. She holds FCRA Advanced certification from the Professional Background Screening Association (PBSA) and helps organizations navigate employment regulations with clarity and confidence.

With a background in Industrial and Organizational Psychology, she translates policy into practice to build ethical, compliant, human-centered hiring systems that strengthen decision-making over time.