Difficulty comes when trying to decipher which SOC to get (1, 2, or 3) and which Type (I or II). Who needs one? When do they need it? What does it mean? This article will help navigate these questions and concerns.
As consumers become more and more savvy when selecting their software or services, many are now asking for evidence of independent Service Organization Control (SOC) audits. SOC standards have been established by the American Institute of Certified Public Accountants (AICPA) to define a framework for examining and reporting on controls at a service organization. Many organizations seek these audits as a way to validate sound business controls or compliance requirements. The difficulty comes when trying to decipher which SOC to get (1, 2, or 3) and which Type (I or II). Who needs one? When do they need it? What does it mean? This article will help navigate these questions and concerns.
There are three (3) categories of SOC reports:
SOC 1 and 2 can occur as either a Type I or a Type II audit. A Type I focuses on the adequacy of the description of the service organization and the suitability of their design of controls to meet control objectives and criteria as of a specified point in time. A Type II goes beyond the Type I as it also includes an auditor’s opinion (based on testing) on the operating effectiveness of the described controls for a specified period of time (typically not less than 6 months).
Many service organizations seek to gain a competitive advantage by completing an independent assessment of their controls (SOC audit) in order to show their customers that they are serious about security and controls. If your company provides services in some sort of technical and/or functional capacity – payroll processing, medical claims processing, cloud hosting, HR services, document management, workflow, storage, etc. – you should consider completing the SOC audit process. Many auditors and regulators also require service organizations to obtain a SOC audit.
A company or organization that outsources services (like those listed above) to a third party benefits from obtaining a SOC report from their service organizations. According to the AICPA, the intent of the SOC audit is to give assurance to customers that their data is under sound control.
For user entities, it is advisable to obtain a SOC report on the service provider prior to initiating a contract or service level agreement (SLA). This can be a useful indicator of how a service provider ensures safety, security and integrity over the data you rely on. It is important that user entities read and understand the SOC report to fully appreciate the controls the service organization has implemented.
SOC reports never expire, but if you are a user entity, it is important to take note of the date the Type I was issued and/or the period the Type II covers in order to ensure that the controls of the service organization are still relevant to your intended use or period. If a significant amount of time has passed, customers may seek a “Bridge Letter” or “Gap Letter” from the service organization stating that no changes to the control environment have occurred since the date covered by the report. However, this does not provide any independent assurance. As a service organization, you should consider an annual SOC audit to demonstrate to your user entities your continuing commitment to maintaining solid controls.
While many organizations are still new to understanding SOC and what it can offer them, many others are beginning to not only request a report from their service organization but are making purchasing decisions and technology selections based upon those that do (or do not) have one. User entities are now viewing service organizations who respond to SOC requests with questions and confusion as a red flag; shifting their businesses elsewhere. The time to determine which SOC is right for you and how to start preparing is now.