Does your organization use third party vendors? Many organizations today rely on a number of third parties to provide different services for them. They may be hosting your servers and systems in a remote site or in the cloud. Vendors may be handling and processing your data. You may have them providing monitoring or security operations services for them. But how do you know how well these third parties are doing their job? Do they have controls in place to ensure they are securing their data, that their financial reporting is correct? You, like others in most organizations, do not have the time or expertise to examine all your vendors yourself. And it would be difficult for vendors to handle all of their clients wanting to assess them. There should be a better way and there is. There is a series of reports that vendors can obtain on an annual basis that they can provide to their clients, or even potential clients, to help show they are doing things properly. These reports are called SOC (System and Organization Controls) reports and are provided by CPA firms.
To understand these reports, it’s important to understand some of the underlying works they are based on. The first is SSAE 18, which is the Statement on Standards for Attestation Engagements #18. It was issued by the AICPA in April 2016, replacing the previous 2010 SSAE 16 standard. SSAE 18 went into effect in May 2017. SSAE18 is an auditing standard that defines how attestations (basically assessments) of internal controls on financial reporting are conducted for “service organizations”, which is what these third party/vendor organizations are referred to. This is reported in a SOC 1 report.
While SSAE 18 is a US standard, it does mirror the ISAE 3402 (International Standard on Assurance Engagements).
SOC 1 Reports:
A SOC 1 report is issued on an organization’s internal controls on financial reporting (ICFR). This report helps you see if the service organization is handling their finances correctly.
There are two kinds of SOC 1 reports.
- A SOC 1 Type 1 report is a snapshot of the organization’s controls on a given day.
- A SOC 1 Type 2 report is a historical report of the controls over a period of time, at least 6 months.
SOC 2 and SOC 3 Reports:
Next are the SOC 2 and 3 reports. SOC 2 & 3 reports are issued on an organization’s controls over its system relating to security, availability, processing integrity, confidentiality, or privacy. Such examinations follow standards set by SSAE 18 but use the Trust Service Criteria to evaluate the controls. These reports are very useful if service organizations are providing IT services such as billing, IT services, cloud services, or remote hosting, among others.
Again, there are two kinds of SOC 2 reports.
- A SOC 2 Type 1 report is a snapshot of the organization’s controls on a given day.
- A SOC 2 Type 2 report is a historical report of the controls over a period of time, at least 6 months.
The SOC 2 report is intended for a limited audience – those within the service organization and their clients who understand the purposes and limitations of a SOC 2 report, whereas the SOC 3 report is a more general use report that covers the same topics intended for anyone. SOC 3 reports don’t have different types.
As noted, many companies providing third party services to clients will often obtain SOC reports as it helps them sell their services to potential clients. Many will even indicate on their websites that they are SOC compliant. At 24By7Security, we can assist you, in your role as a client or as a third party vendor, in preparing for a SOC 1/2/3 examination.
You can see a brief description of our services for SOC/ SSAE 18 compliance at https://24by7security.com/services/compliance/soc-ssae18/