“System and Organization Controls” (SOC) Reports were developed by The American Institute of Certified Professional Accountants (AICPA). These reports are utilized by independent, third-party auditors to examine a service organization’s controls put in place to protect their clients’ assets.
“Controls” being a policy, process, or procedure that is created to achieve a desired event or to avoid an unwanted event.
The two most common types of SOC Reports are:
SOC 1 – focused on outsourced services which are relevant to an organization’s financial reporting.
SOC 2 – focused on operational risks of outsourcing to third-parties; based on the Trust Services Criteria which include up to five categories: security, availability, processing integrity, confidentiality, and/or privacy.
For security-conscious businesses, SOC 2 compliance should be a minimum requirement when considering a SaaS provider. It’s all about ensuring that a service organization is securely managing and protecting the data they are entrusted with.
SOC 2 compliance is not required for SaaS and cloud computing vendors but its role in securing your data cannot be overstated. That’s why we undergo SOC 2 audits on a regular basis to ensure that we remain compliant with the five trust principals.
There is a rise in organizations outsourcing tasks or entire functions to service providers but your management is still responsible for assessing and addressing the risks. Management may be able to delegate tasks and functions to third-party vendors but they can’t delegate their liability if something goes wrong.
SOC Reports establish credibility and trustworthiness for a service provider. We stand behind the integrity of our solutions and our SOC Reports are a badge we wear proudly.