Why SOC2 and what is its value?
Why SOC 2?
SOC 2 (System and Organization Controls 2) is a type of audit report that attests to the trustworthiness of services provided by a service organization. It is commonly used to assess the risks associated with outsourced software solutions that store and/or process customer data.
SOC 2 reports result from an organization conducting an official SOC 2 audit. These reports attest that a service organization’s solution (such as the service from a SaaS company) has been audited by a Certified Public Accountant (CPA), using standards laid down by the AICPA, with regard to one or more specific attributes: Security, Availability, Processing Integrity, Confidentiality and/or Privacy.
What is its value?
SOC 2 is a valuable attestation for selling your SaaS solution to customers.
Providing a SOC 2 certification report gives confidence to the customers and enables customers to consume your services with confidence. Without a SOC 2 report, each one of your customers (or potential customers) may have to commission their own audit of your service before they can buy it, and /or will go away with competition resulting in loss of business. With a SOC 2 report in hand, you’re removing that security compliance hurdle for anyone considering your service.
Levels of SOC Audit:
There are three levels of SOC audit for service organizations:
- SOC 1 audits relate to organizations’ ICFR (internal control over financial reporting). They are conducted against the assurance standards ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) 18.
- SOC 2 audits assess service organizations’ security, availability, processing integrity, confidentiality, and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), in accordance with SSAE 18. A SOC 2 report is generally used for existing or prospective clients.
- SOC 3 audits are like SOC 2 audits, but their reports are much more concise and designed for a general audience.
SOC 1 and SOC 2 audits are divided into two types:
- Type 1 – an audit carried out on a specified date.
- Type 2 – an audit carried out over a specified period, usually a minimum of six months.
SOC 3 audits are always Type 2.
The AICPA has also developed SOC for cybersecurity and SOC for Supply Chain.
What is a SOC 2 audit report?
A SOC 2 audit report provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s TSC, in accordance with SSAE 18.
It includes:
- An opinion letter from auditor
- Management assertion.
- A detailed description of the system or service.
- Details of the selected trust services categories.
- Tests of controls and the results of testing.
- Optional additional information, such as technical information or plans for new systems, details about business continuity planning, or the clarification of contextual issues.
The Five Trust Services Principles of SOC 2
The Five Trust Services Principles of SOC 2
Confidentiality
“Information designated as confidential is protected to meet the entity’s objectives.”
Privacy
“Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.”
Security
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
