What is SOC?
With the increasing adoption of Software-as-a-Service (SaaS) solutions, more and more companies are outsourcing their internal software applications to SaaS based service providers. When a company begins to outsource these functions, many of the risks of the SaaS provider become the risks of the company. Management of the company is responsible for assessing and addressing risks faced by their entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When the company engages a service organization to perform key processes or functions, the company exposes itself to additional risks related to the service organization’s system but is responsible for effective control over outsourced functions.
Service providers can assure that their client data is accurate, safe and protected by engaging in a variety of SOC (Service Organization Control) compliance audits. SOC is a set of standardized objectives defined by the American Institute of CPA’s (AICPA) to assist in the management of outsourced functions..
What is SOC 1?
SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting (ICFR). SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:
- Management of the service organization (the company who has the SOC 1 performed),
- User entities of the service organization (service organization’s clients), and
- The user entities’ financial auditors (user auditor). The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes–Oxley Act. A SOC 1 enables the user auditor to perform risk assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.
What is SOC 2?
SOC 2 reports are not specifically focused on internal controls over financial reporting, but rather on controls at a service organization relevant to five key system attributes:
- Security – The system is protected against unauthorized physical and logical access.
- Availability – The system is available for operation and use as committed or agreed.
- Processing integrity – System processing is complete, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).
What is Type I versus Type II?
For both SOC 1 and SOC 2, the two types of reports that can be issued are Type I and Type II. The Type II audit is more comprehensive than the Type I audit, and it includes a full assessment of a company’s infrastructure, software, people, procedures, and data. Type II audit assures that not only are controls well defined, they are also consistently followed across the company.
Why is it so important to be SOC 2 Type II certified?
The SOC 2 Type II certification is recognized worldwide as one of the strictest audit standards for service providers. The Type II audit is comprehensive and ensures that the service provider has all requisite controls in place and follows the processes meticulously every time. The Type II report also includes a description of the tests performed by service auditor and their results.
By becoming SOC 2 Type II certified, service providers can demonstrate that their services meet and exceed the industry’s accepted standard of governing controls and protection of all processed data on behalf of their clients.