Which SOC Report Do You Need?Published October 24, 2019 • 3 min read
If your enterprise is a service provider that handles customer data, it should have a System and Organization Controls for Service Organizations 2 (SOC 2) report attesting to its SOC 2 compliance. If you outsource work, your sub-contractors should be SOC 2 compliant, as well.
Developed by the American Institute of Certified Public Accountants (AICPA) in response to growing concerns over data privacy and security, SOC 2 applies to all service providers that process and store customer data. Auditors use AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which emphasizes data security, as a framework.
SOC 2 compliance demonstrates your organization’s commitment to protecting the privacy and security of customer and client information—increasingly important in our connected digital age.
However, SOC 2 is not mandated by government or industry regulators: Compliance is voluntary.
Still, most service providers choose to comply. Why?
Six Reasons for SOC 2 Compliance
- Customer demand: Protecting customer data from breach and theft is top-of-mind for your clients, so without a SOC 2 attestation, you could lose business.
- Cost-effectiveness: Think audit costs are high? In 2018, a single data breach cost, on average, $3.86 million, according to a study by Ponemon and the IBM Institute. That figure rises every year.
- Competitive advantage: Having a SOC 2 report in hand will give you the edge over competitors who cannot show compliance.
- Peace of mind: Passing a SOC 2 audit provides assurance that your systems and networks are secure.
- Regulatory compliance: Because SOC 2’s requirements dovetail with other frameworks including HIPAA and PCI DSS, attaining certification can speed your organization’s overall compliance efforts.
- Value: A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal governance, regulatory oversight, and more.
Which SOC Report Do You Need?
- The security, availability, and processing integrity of the systems the service organization uses to process users’ data, and
- The confidentiality and privacy of the information processed by these systems.
SOC 2 and SOC 3 both use these categories. SOC 1, however, differs completely.
- SOC 1 governs financial reporting. A SOC 1 report will answer these kinds of questions: Are internal service organization controls on financial reporting well designed? Do the organization’s controls work, helping it to meet financial goals?
- A SOC 2 report discusses controls that affect the organization’s information security, availability, processing integrity, data confidentiality, and privacy.
SOC 2 and SOC 3 reports cover the same subject matter, but the difference lies in their intended audience.
- SOC 2 reports are written for an informed, knowledgeable audience whose members may have a vested interest in the audit findings.
- SOC 3 reports address a more general audience and tend to be shorter and less detailed than SOC 2 audits. They are often used to demonstrate SOC 2/3 compliance for prospective clients and for marketing.
SOC 2 reports are applicable to these industries, among others
- Cloud computing
- IT security management
- Software as a Service (SaaS) vendors
- Financial processing
- Accounting and auditing
- Customer support
- Sales support
- Medical claims processing
- Insurance claims processing
- Human resources
- Data analysis
- Document and records management
- Workflow management
- Customer relationship management (CRM)
- Technology consulting
Which Type of Report Do I Need?
To complicate the question even more, SOC 2 reports come in two types, with each covering a different period of time.
- Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit. Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits.
- Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.
If you’re looking for more information about hot to run a SOC 2 audit, then take a look at this SOC 2 guide.