Organizations that outsource data functions to vendors  - such as data processing, data storage, or data management - remain responsible for protecting their regulated data. That is why many businesses today prefer to hire data vendors who have demonstrated strong controls over their IT security by undergoing a rigorous audit. In doing so, they reduce their organization’s risk related to compliance violations, reputational damage, and litigation.

The preferred IT security audit for vendors is known as a System and Organization Controls (SOC) attestation report. These audits are performed by hybrid CPAS with specific, in-depth Information Security expertise. They review and provide an opinion on the vendor’s security controls as mapped to standards set by the American Institute of Certified Public Accountants. Vendors who meet the standards receive a coveted SOC certification, also known as a SOC attestation or SOC report.

There are three different types of reports (SOC1 – SOC3), all of which we explain at the bottom of this article. For now, we would like to focus on the SOC2 report. Many governments and businesses require vendors to obtain the SOC 2 report because it provides valuable insights into an organization’s risk and security posture, vendor management, internal controls governance, regulatory oversight, and more.  At ERMProtect, this is the type of SOC report that we typically recommend.

Why SOC 2 is the Best Choice

Some benefits of the SOC2 report include:

• Provides visibility to clients and commercial benefits - SOC 2 protects an organization’s brand reputation by helping prevent data breaches. Protecting customer data from unauthorized access and theft is a priority for clients, so without a SOC 2 attestation, an organization could lose business.
• Becomes a Competitive Advantage - Having a SOC 2 report in hand gives organizations the edge over competitors who cannot show compliance. When pursuing clients that require a SOC 2 report, having one available will give your organization an advantage over competitors that do not.
• Becomes a Marketing Differentiator - Getting a SOC 2 report differentiates organizations from other companies in the marketplace that have not made a significant investment of capital in IT security. You can market your adherence to rigorous standards while others cannot.
• Helps identify opportunities for improvements – An organization will learn how to be more secure — and efficient — by undergoing a SOC 2 audit. The organization can streamline processes and controls based on a better understanding of the cybersecurity risks that customers face. This will improve services.
• Leverages the knowledge of an outsider -  SOC 2 compliance affirms the security of an organization’s services and gives it the ability to provide clients with evidence from an auditor who has seen its internal controls in place and operating.
• Provides evidence of regulatory compliance - Because SOC 2’s requirements dovetail with other frameworks including NIST, ISO 27001, and HIPAA, attaining certification can speed your organization’s overall compliance efforts.

Industry-Specific Benefits

SOC 2 compliance also provides industry-specific benefits such as:

• Managed Services - Managed services providers can set themselves apart by demonstrating their commitment to maintaining the strong internal controls that customers want when entrusting them with the management of their information systems, such as applications, databases, information security, backup and recovery, network management, and system monitoring.
• Banking and Financial Services - Organizations such as credit unions, banks, credit card companies, insurance companies, consumer finance companies, and stock brokerages face numerous challenges in internal controls. For example, physical and logical security play a major role in ensuring customer data is secure. They also must maintain confidentiality and privacy, as well as the completeness, timeliness, and accuracy of transactions. Demonstrating SOC 2 compliance can be advantageous.
• Software as a Service (SaaS) - Efficiency-seeking companies are turning to Software as a Service (SaaS) providers to reduce costs. SaaS providers can gain an edge by showing prospective customers that they can be trusted because of their adherence to widely accepted frameworks for internal controls.
• Data Centers and Colocation Facilities - A single data center can serve many customers, housing vast amounts of sensitive data, which would make a breach exponentially damaging. Therefore, companies scrutinize the internal controls of a data center or colocation facility before trusting them with their data. SOC 2 compliance can provide those companies with the assurance they desire.

The ERMProtect Approach to SOC2 Audits

SOC 2 compliance is not always required. But it is always advantageous to an organization. ERMProtect’s approach is hands-on and focused on helping organizations meet their requirements in a cost-effective manner, by:

• Understanding our clients’ regulatory and compliance needs and helping them develop a compliance strategy.
• Determining the appropriate scope of the audit.
• Assisting the organization to draft the system description.
• Developing the control objectives for the organization’s processes.
• Planning an appropriate approach to the risk assessment.
• Identifying the basis for the organization's management assertion.
• Helping personnel to identify controls and address them to control objectives.
• Benchmarking control objectives and controls with leading practices.
• Testing the operational effectiveness of controls.
• Reporting insightfully on the results of testing.

 Types of SOC audits

As mentioned previously, there are several types of SOC audits. Here are the different types of SOC audits.

• SOC 1 – The auditor provides an opinion on IT security controls over data processing that impacts financial statements, typically using SSAE 18, a Generally Accepted Auditing Standard established by the American Institute of Certified Public Accountants.
• SOC 2 – The auditor reports on (non-financial) data processing systems and controls based on one or more of the Trust Services principles of security, privacy, availability, confidentially, and integrity of data.
• SOC 3 – Again, this is a report on (non-financial) data processing systems and controls based on the Trust Services Criteria. However, a SOC 3 can be made public because it does not contain detailed information about systems and controls that could be exploited by someone with malicious intent. Organizations whose primary goal is marketing their achievement of SOC certification should select this option.

Reviewing vs. testing controls

For each SOC audit, there are two types of reports, Type I and Type II.

• A Type 1 examination and report provides an opinion on the fairness and suitability of management’s description of the system as of a particular date. A Type 1 examination only focuses on whether trust service principles criteria and controls are suitably designed and does not determine whether they are operating effectively.
• A Type 2 examination and report provides an opinion on the fairness and suitability of the description of the system - and the operating effectiveness of controls for a period of time, usually between six to twelve months.

To learn more about the SOC auditing framework, check out our Guide to SOC Assessments.