In todays’ competitive environment, companies tend to outsource some of their business processes to service providers to have an edge over their counterparts. One way for companies to set themselves apart is to have SOC audits conducted in order to be compliant with SSAE18 requirements which are developed by the American Institute of Certified Public Accountants (AICPA). A Service Organization Controls (SOC) audit is not mandatory for Service Organizations however, it is something that is good to have. A SOC audit refers to the verification of the company's policies, procedures, and processes against a defined list of financial and non-financial controls. SOC certification report can be signed only by a Certified Public Accountant (USA).

What are the 3 types of SOC Reports?

SOC 1

• Relates to testing of your user’s or client’s financial reporting
• Report sharing is restricted to the services organization management, user entities, and user auditors

 SOC 2

• Detailed testing of the effectiveness of controls against the 5 Trust Service Principles*
• Report sharing is restricted to service organization’s management, customers, and prospective customers

 SOC 3

• A brief overview of the effectiveness of controls against the 5 Trust Service Principles*, auditor’s opinion & management assertion
• The report can be shared with the general public and on the website
• SOC 3 review can be done only after the company has completed a SOC 2 Type 2 review

SOC 1 and SOC 2 are further sub-divided into Type 1 and Type 2 reports:

• Type 1- The test of design is conducted to ensure that if the controls are effectively designed on a specified date
• Type 2- Test of effectiveness is conducted to ensure that the said controls are effectively operating over a specific period of time

* 5 Trust Service Principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy.

What is the importance of being SOC Compliant?

1. Competitive Edge – Being a SOC compliant company adds to your competitive edge as clients would most often choose a service provider that values information and network security.
2. Assurance – Provides assurance to existing and prospective clients that adequate security controls have been designed and are operating effectively to protect client data & systems.
3. Proactive – Rather than waiting for a data breach to happen and then taking corrective actions, service providers can choose to be proactive in having a SOC audit conducted. This saves the service provider from having to pay costly fines in the event of data and security breaches.
4. Customer Demand – There are some customers who have a mandatory requirement of dealing only with those service providers who are SOC compliant.
5. Regulatory Compliance – Being SOC compliant is not a mandatory requirement. Service organizations who voluntarily conduct the necessary steps to be SOC compliant are better prepared when they are required to be HIPAA or ISO 27001 compliant by regulation.
6. Better Governance – Having a SOC audit conducted gives better value to the service organizations in a way that they are well aware of where they stand in terms of information and network security, vendor risk management, and overall governance and monitoring of the controls necessary to be operating effectively

Author- 

Anita Jagasia (Senior Manager – Marketing & Operations)

RiskPro India