Service Organization Controls (SOC)

With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. 

A SOC report is a verifiable auditing report which is performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). It is a collection of offered services of a CPA concerning the systematic controls in a service organization. A SOC report tells us if audits are performed or not; if audits are done as per the controls defined by the serviced company or not; and the effectiveness of the audits performed. A SOC report is the compendium of safeguards built within the control base of the data and is also a check if those safeguards work or not.

SOC 1 reports address a company's internal control over financial reporting, which pertains to the application of checks-and-limits. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a third-party vendor’s accounting and financial controls. It is the metric of how well they keep up their books of accounts. There are two types of SOC 1 reports — SOC 1 Type I and SOC 1 Type II. Type I pertains to the audit taken place on a particular point of time, that is, a specific single date. While a Type II report is more rigorous and is based on the testing of controls over a duration of time. Type II reports’ metrics are always judged as more reliable as they pertain to the effectiveness of controls over a more extended period of time.

SOC 2 is the most sought-after report in this domain and a must if you are dealing with an IT vendor. It is quite common for people to believe that SOC 2 is some upgrade over the SOC 1, which is entirely untrue. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC):

• Privacy
• Confidentiality
• Processing Integrity
• Availability
• Security

SOC 2 is built around the definition of a consistent set of parameters around the IT services which a third party provides to you. If you require to have a metric of a vendor’s providence of private, confidential, available, and secure IT services — then, you need to ask for an independently audited and assessed SOC 2 report. Like SOC 1, SOC 2 too has two types — SOC 2 Type I and SOC 2 Type II. 

Type I confirms that the controls exist. While Type II affirms that not just the controls are in place, but they actually work as well. Of course, SOC 2 Type II is a better representation of how well the vendor is doing for the protection and management of your data. But, the serviced party here has to be very clear about this that the SOC 2 Type II report is to be audited by an independent CPA.

Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. E.g., if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.

SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS, but if your organization doesn’t process financial data but processes or hosts other types of data.