Foresite often assists Resellers and their Clients with Service and Organization Controls or “SOC” compliance. Typically the engagement starts by defining what type of report will be needed, SOC 1, SOC 2 or SOC 3. In this post, we will define the differences and provide examples of when each SOC audit would apply.
Service and Organization Controls (SOC) were developed by the American Institute of Certified Public Accountants (AICPA), and the report is created based off Statement on Standards for Attestation Engagements (SSAE).
- SOC the actual report on the controls
- SSAE 18 The standard used to create the report and subsequent attestation
- AICPA the organization responsible for maintaining the standards
SOC 1 is primarily a financial audit. While it may incorporate security, it is limited to how the security is controlled around financial data. Organizations that provide support for banking, and so forth would be a good fit for a SOC 1.
For example, a business has their whole network in a cloud, perhaps you are the Reseller providing that cloud. The business is now counting on you to keep the cloud service online or they are out of business. What is there to assure them that you are financially sound and have controls to prevent fraud that would put you out of business or limit your ability to meet the service agreement? SOC 1 attestation.
How does SOC 1 work? It uses what is called ‘control objectives’ anywhere from 10 – 30 and the auditor and business will decide if each control accurately represents what is needed for assurance. Examples: “Do you require more than 1 signature on a check of $1,000 dollars or more” or “How is access control handled with banking accounts”? Once the control objectives are decided upon, then the auditor will review the controls and write a SOC 1 report that includes a description of your system and the auditor’s opinion regarding:
- If your description of controls is fairly presented
- If your controls are effectively designed
SOC 2 examinations report on the effectiveness of your organization’s controls as they relate to five AICPA-defined trust services criteria: Security, Availability, Processing (integrity), Confidentiality, and Privacy.
The SOC 2 examination focuses on how client data is stored and protected. It is a more technical, security-focused examination than SOC 1 since the criteria required are predefined by the AICPA, it is easier to determine what compliance needs are required.
SOC1 ‘control objectives’ determined are determined by the business, SOC 2 Criteria are prescribed by the AICPA.
The SOC 2 auditor will use the Trust Services Principles (TSP) based on the Trust Services Criteria (TSC). This is a matrix of necessary controls and the assessor will ask for evidence that the client has a standard and is applying the standard.
If you have ever done PCI, NIST, ISO it is very similar. All these controls must be answered or explained as to why they are not applicable. For example, processing integrity would not be applicable for a call center because they are not processing data for another client.
The auditor would write a SOC 2 report that includes a description of your system and the auditor’s opinion regarding:
- If your implementation of the TSP controls are complete
- If your controls are effectively designed
SOC 3 is simply a SOC 2 for public consumption, a certificate without the data and detail saying you were compliant with the SOC 2 standards from x date to x date.
Still have questions on how the SOC audit works? Contact us for a complimentary call with one of our consulting team members.
