Senior Consultant, The BlumShapiro Cybersecurity Team
As consumers become more and more savvy when selecting their software or services, many are now asking for evidence of independent Service Organization Control (SOC) audits. SOC standards have been established by the American Institute of Certified Public Accountants (AICPA) to define a framework for examining and reporting on controls at a service organization. Many organizations seek these audits as a way to validate sound business controls or compliance requirements. The difficulty comes when trying to decipher which SOC to get (1, 2, or 3) and which Type (I or II). Who needs one? When do they need it? What does it mean? This article will help navigate these questions and concerns.
What is it?
There are three (3) categories of SOC reports:
- A SOC 1 (previously known as a SAS 70 or SSAE 16 report) is an independent audit that examines the controls at the service organization that are relevant to financial reporting and audits of financial statements.
- The SOC 2 is growing in popularity and is quickly becoming the de-facto standard for independent assessments of security controls. It is designed for a broad range of technology hosting environments, software applications and cloud computing entities. A SOC 2 reports on controls relevant to the security of data and systems across five trust service principles (also known as “TSPs”) and associated criteria. The TSPs include: Security, Availability, Confidentiality, Processing Integrity and Privacy. A service organization determines which TSPs (and criteria) are most meaningful to their company and customers, and constructs unique controls to meet those criteria. An auditor provides an opinion on whether the company’s controls fit the requirements.
- A SOC 3 report is a general use report that is made publicly available by a service organization. It demonstrates at a high-level that a service organization, its system or hosting environment has met the TSPs and associated criteria. The SOC 3 provides minimal detail: a system description along with the auditor’s opinion.
SOC 1 and 2 can occur as either a Type I or a Type II audit. A Type I focuses on the adequacy of the description of the service organization and the suitability of their design of controls to meet control objectives and criteria as of a specified point in time. A Type II goes beyond the Type I as it also includes an auditor’s opinion (based on testing) on the operating effectiveness of the described controls for a specified period of time (typically not less than 6 months).
Who should have one?
Many service organizations seek to gain a competitive advantage by completing an independent assessment of their controls (SOC audit) in order to show their customers that they are serious about security and controls. If your company provides services in some sort of technical and/or functional capacity – payroll processing, medical claims processing, cloud hosting, HR services, document management, workflow, storage, etc. – you should consider completing the SOC audit process. Many auditors and regulators also require service organizations to obtain a SOC audit.
Who needs it?
A company or organization that outsources services (like those listed above) to a third party benefits from obtaining a SOC report from their service organizations. According to the AICPA, the intent of the SOC audit is to give assurance to customers that their data is under sound control.
- A SOC 1 report is a restricted use report intended to provide information to customers about the service organization’s control environment that may be relevant to internal controls over financial reporting (ICFR), or provide information to customers and their auditors for their assessment of ICFR. As such, it is generally used by the customer’s auditors or controller’s offices.
- SOC 2 reports are also considered restricted use reports, used by company management, regulators, and customer user entities. These reports are generally based on demonstrated business need and provided by request only. They are often shared under non-disclosure agreements (NDAs).
- As a general use report, a SOC 3 report is publically available to anyone.
When to get one?
For user entities, it is advisable to obtain a SOC report on the service provider prior to initiating a contract or service level agreement (SLA). This can be a useful indicator of how a service provider ensures safety, security and integrity over the data you rely on. It is important that user entities read and understand the SOC report to fully appreciate the controls the service organization has implemented.
SOC reports never expire, but if you are a user entity, it is important to take note of the date the Type I was issued and/or the period the Type II covers in order to ensure that the controls of the service organization are still relevant to your intended use or period. If a significant amount of time has passed, customers may seek a “Bridge Letter” or “Gap Letter” from the service organization stating that no changes to the control environment have occurred since the date covered by the report. However, this does not provide any independent assurance. As a service organization, you should consider an annual SOC audit to demonstrate to your user entities your continuing commitment to maintaining solid controls.
While many organizations are still new to understanding SOC and what it can offer them, many others are beginning to not only request a report from their service organization but are making purchasing decisions and technology selections based upon those that do (or do not) have one. User entities are now viewing service organizations who respond to SOC requests with questions and confusion as a red flag; shifting their businesses elsewhere. The time to determine which SOC is right for you and how to start preparing is now.
How BlumShapiro Consulting Can Help:
In today’s world ensuring that your organization stays protected from threats is key to its success. From cybersecurity threats to PCI Compliance and computer forensics, the BlumShapiro Consulting Risk Management team is here to help. Our cybersecurity and risk management best practices have been tested and developed with one goal in mind – your organization’s protection. Learn more about our services >>