THE IMPORTANCE OF SOC 2
Information security is a reason for concern for all organizations, including those that outsource key business operation to third-party vendors. Mishandled data – especially by application and network security providers can leave enterprises vulnerable to attacks, such as data theft and malware attacks.
SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that CPA firms can issue in connection with system-level controls at a service organization. Currently, there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering.
In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.). The AICPA is working on additional SOC offerings to include in the suite.
SOC 2 is an auditing procedure that ensures your service providers securely manage the data to protect the interests of your organization and clients privacy on five principles – Security, Availability, Processing integrity, Confidentiality and Privacy.
Contact Our Expert
There are three types of SOC reports:
- SOC 1 – Internal Control over Financial Reporting (ICFR)
- SOC 2 – Trust Services Criteria
- SOC 3 – Trust Services Criteria for General Use Report
What Does the SOC 2 Type 2 Audit Examine?
SOC 2 looks at five Trust Factors of secure data processing and storage. Demonstrating proficiency across one of more of these criteria is an attestation to the privacy and security controls:
SOC 2 reports can address one or more of the above Trust Factors.
What are SOC 2 Reports?
A SOC 2 report also falls under the SSAE 18 standard, though it is specifically addressed in sections AT-C 105 and AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s Trust Services Criteria (TSC), that are relevant to its services, operations, and compliance.
There are five available criteria that include security, availability, processing integrity, confidentiality, and privacy. The security criteria, which are also referred to as the common criteria, is the only required criteria to be included in the SOC 2.
The difference between SOC 1 and SOC 2 is that in a SOC 2 controls meeting the criteria are identified and tested, versus in a SOC 1 where controls meeting the identified control objectives are tested.
When should you pursue SOC 2 Certification?
Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate.
Another reason organizations pursue SOC 1 vs SOC 2 is if your clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).
SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.
The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.
Who needs a SOC 2?
How will ESHA IT help?
We have the SOC 2 experts you need.
- Our team has enabled organizations to meet SOC 2 requirements through their readiness & implementation services and worked on assisting them through the audit process. The clients have ranged from financial services to SaaS companies
- Our partner CPA firm is an AICPA accredited firm and has done 275+ SOC 2 Attestations for their clients