SOC is a product of AICPA (American Institute of Certified Public Accountants), which provides guidance on these audits. Earlier, this was popularly known as SAS70. SAS70 is no longer valid and has been replaced by SOC 1, SOC2 and SOC 3.
As a service provider company, we provide services to our customers which may impact our customers’ financial reporting. Due to that our customers’ auditors require assurances that the control designed around our service delivery are effective. A way to provide such assurance is through – Service Organization Control (SOC) report.
SOC is a product of AICPA (American Institute of Certified Public Accountants), which provides guidance on these audits.
Earlier, this was popularly known as SAS70. SAS70 is no longer valid and has been replaced by SOC 1, SOC2 and SOC 3. Let’s look at them one by one.
What is SOC 1?
SSAE16 (Statements of Attestation Engagements No 16) SOC 1 report focuses on our controls that are likely to be relevant to audit of our customer’s financial statements.
A SOC 1 Type 1 – is a type of report of particular point in time audits for controls.
SOC 2 Type 2 – is a type of audits which covers the controls effectiveness over a certain period of time say last six months
Please note ‘’ SOC 1 audit reports are restricted to the management of the services organization, user entities and user auditors.
What is SOC 2?
A SOC 2 report follows certain trust principles as laid down by AICPA. These trust principles are primarily availability, security, processing integrity, confidentiality and privacy.
A service organization may choose all or any one of the above trust principles. This reports is focused on non-financial reporting controls.
We have implemented the common criteria for the SOC 2 attestation standard to confirm to the stated AICPA requirements. SOC 2 has been implemented in place as it full fills the assurance demand of non-financial controls!
What is SOC 3?
SOC 3 is a publically available report that can shared on the website or open to public. It does not include a description of the service auditor’s tests of controls and results. Also, the description of the system is less detailed than the description in a SOC 2 report.
This is mostly used for marketing purposes and is freely distributed. We are planning to get attested to create its first SOC 3 in 2017! It will provide a detailed description of our systems and the auditor’s opinion on compliance and security, which are not detailed as SOC1, SOC2.
Why are these reports important?
There are a key factors that make these reports important:
- Services being outsourced.
- Transparency of service delivery model.
- Growth of cloud computing.
- Management and governance of IT, Management controls
SOC is designed to assist organizations in the service industry in building trust and confidence in the level of services performed as well as checks, balances and endorsements through reports by an independent CPA firm. Each type of SOC report is intended to meet specific customer requirements in the compliance and security ecosystem. For any questions on the above click below: