SOC 2

Why Perform an SSAE 18 (SOC 1 or SOC 2 Report)?

Some organizations have heard of SAS 70, SSAE 16, and now SSAE 18, but, haven’t seen the value, other than because one of their customer require it. Truth is, that’s a large part of the value, as many companies will not even think about outsourcing functions to a Company who does not have a clean SOC 1 or SOC 2 Type II Report in place, especially since Vendor Management reviews are now required.

Some benefits of having a SOC report in place include:

  • Ability to perform outsourcing services for Public Companies.
    • If performing financially significant duties for a Public Company, they are required to use a a provider with a valid SSAE 18/SOC 1 in place to give investors assurance over controls that are performed by the outsourcing Company.
  • Public and Private companies are more likely to trust your organization with their data.
    • Beyond any compliance requirements, if you were to trust a company with your data, you would want assurance it will be handled with the utmost care.
  • A year round accessible knowledge source (your auditors).
    • As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce questions and concerns off of a group of trusted individuals who know your business.
  • A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
    • Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve and help ensure everything functions well the following period.
  • Improving performance of the organization.
    • Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.
Think of the SSAE-18 audit as an annual investment into your company, increasing potential new clients, productivity and accountability.

SOC 2 Report – Trust Services Criteria and Categories

The System and Organization Controls (SOC) 2 Report will be performed in accordance with AT-C 205 (formerly under AT-101) and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.