System and Organization Control Reporting (SOC)
As the demand for your company’s services increase, so do the requests from your customers for assurance. Assurance, that you’ve taken the steps necessary to protect the privacy and confidentiality of their data as well as the security, availability and processing integrity of your systems. You are not alone. Looking to reduce infrastructure costs, many organizations are utilizing outsourcing and cloud computing solutions. Similarly, the demand for assurance of the integrity of these outsourced applications and functions has expanded as well.
As a service organization providing outsourced or cloud computing, you are an extension of your customers’ system of internal control and your customers rely upon you to protect them from the risk of fraud, unauthorized use of data, loss of data and violation of privacy.
The American Institute of Certified Public Accountants (AICPA) has provided the solution to demonstrate the reliability of your system of controls and to provide assurance to your customers by providing three System and Organization Control (SOC) reporting options, SOC 1, SOC 2 and SOC 3.
Identifying Which System and Organizations (SOC) Report Is Right For You
Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?
Do you need to make the report generally available?
Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?
SOC 1 reports address controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.
A System and Organization Control, or SOC 1 report, is a formal audit of a service provider’s controls that affects their customer’s internal control over financial reporting. SOC 1 reports, often referred to by the AICPA attestation standards as SAS 70 and SSAE 16 (now SSAE 18), are specifically intended to meet the requirements of the entities that use service organizations and those entities’ financial statement auditors.
Obtaining a third party SOC 1 attestation report adds significant value to your organization and also provides your customers with an increased level of confidence. It sets you apart from the competition by demonstrating your commitment to the security of your customer’s data and information.
SOC 2 and SOC 3 reports address controls at a service organization related to operations and compliance as identified in the AICPA’s Trust Service Principles.
A SOC 2 report provides service organizations with an opinion on controls that are related to a predefined set of principles. Unlike a SOC 1 report, where control objectives and controls are specified to the industry and unique processes within a company, a SOC 2 report utilizes a standardized set of industry neutral controls based on the AICPA’s Trust Services Principles — security, availability, processing integrity, confidentiality and privacy. A SOC 2 report must include the security principle (known as the common criteria), with inclusion of the remaining four principles being optional based on the company’s needs.
SOC 2 reports provide significant value in situations where customers and internal management must have confidence in the service organization’s system of controls to provide security, availability, processing integrity, confidentiality and privacy. In addition to addressing the internal needs, the SOC 2 report is valuable to your existing customers because it provides a CPA-signed report as assurance of your systems and processes.
The SOC 3 report is intended to be used as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report.
The SOC 3 report is intended to be used as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report, such as potential customers, investors, etc. Similar to a SOC 2 report the SOC 3 report provides an opinion on controls relevant to one or more of the Trust Service Principles (TSP). The SOC 3 report is unique in its lack of use restrictions and the use of a SOC 3 seal to be used on your website making it the perfect marketing tool for customers that must have confidence in the service organization’s system of controls to provide security, availability, processing integrity, confidentiality and privacy.
Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination
As service organizations prepare for SOC 2 examinations, understanding the roles of the Privacy and Confidentiality Trust Services Criteria (TSC) can help them […]
What is Cybersecurity Penetration Testing and How Does it Improve Industry Standards Compliance?
Cybersecurity penetration testing plays an important role in SOC 2 audits as well as ongoing security reviews by helping organizations identify, assess and […]
Why You Can’t Freely Share Your SOC 2 Report
“Why can’t I share my SOC 2 report?” It’s a question that gets asked a lot, and given the time and expense of […]