Keep Your Socs On: From SOC Compliance to SOC 2+ ReportingPublished December 13, 2016 by Karen Walsh • 3 min read
As more services move to the cloud, customers want more transparency from the companies that they buy from on how their data and information is being protected. As such, customers seek greater documentation from their potential vendors prior to engaging them. Vendor management policies, therefore, increasingly require a review of third parties and the third parties upon which those third parties rely. As customers seek greater comfort levels over the data security for their customers, documentation and reporting are increasingly becoming an asset to a marketing strategy. The goal of the SOC 2+ is to specifically address reporting concerns regarding internal corporate governance, risk management, and compliance processes.
Many companies shy away from information security compliance programs because they add to the already overwhelming bureaucracy of business. However, it’s important for companies to change burden into an opportunity. When PwC announced its new SOC 2+ report, the goal was not to add work but to streamline the process and individualize reports to meet the needs of each vendor and their clients.
- The security of a service organization’s system.
- The availability of a service organization’s system.
- The processing integrity of a service organization’s system.
- The confidentiality of the information that the service organization’s system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
Creating this framework was intended as a one-size-fits-all approach. By not taking into account the different types of services that vendors provide, the framework created a sense of assurance for customers. Unfortunately, SOC 2 did not necessarily answer all their questions. For example, a company may have clients that offer multiple services (ex: financial and health). With that in mind, the clients need different assurances based on their regulatory landscape. Despite completing SOC 2 reporting, that company would still have to respond to individual client questionnaires. With client timelines driving these questionnaires, many companies end up answering the same questions over and over again.
SOC 2 was intended to help address this. However, as with all best-laid plans, the desire to address diverse needs through a standardized process has led to additional confusion and legwork. PwC’s SOC 2+ intends to fix this fit problem. SOC 2+ will utilize two reports, each with a different focus. PwC described the new reports as follows:
- A type 1 report includes a service auditor’s opinion on the fairness of the presentation of the description of the system and the suitability of the design of the controls to meet the applicable criteria.
- In a type 2 report, in addition to what is included in a type 1 report, the operating effectiveness of those controls is also reflected as well as a description of the service auditor’s tests of controls and the results of the tests.
With this in mind, businesses should start thinking about ways to move towards SOC 2+ compliance in order to address customer concerns on a more individualized level. Since the new standards specifically intend to address GRC concerns, ZenGRC is a perfect way to help ease the transition. If you’re also looking for a roadmap that outlines the steps you need to take to complete a SOC audit, then checkout this SOC 2 guide.
The SOC 2+ assurance control materials suggest a phased approach. This approach incorporates management’s initial review of processes and controls to find gaps, then remediation of those gaps, and finally an assessment of the execution of the new processes and controls established. Using a platform that stores and compiles an entire service organization’s documentation would be a great first step to engage this transition and to add value to SOC 2 reporting under this new format.