SOC (System and Organisation Controls)

SOC 2 reports are unique to each company as every organisation controls and yields to one or other trust service criteria. It defines the criteria for managing client’s data on the basis of five “trusted service principles”: security, availability, processing integrity, privacy, and confidentiality. It is specific to each business unit. In accordance with specific business practices, each develops its own power to conform to one or more of the trust principles. These provide you with important information about how your service provider handles data.

The two types of SOC 2 Reports are –

These ‘Trust service criteria’ are-

• Security: It protects the system and the data from unauthorized access and prevents data theft and system abuse. It focuses on managing customer privacy and integrity and prevents data breaches.

• Availability: It ensures and involves security-related criteria and secures it must to available for use and operation.

• Processing integrity: It works on the principle of delivering accurate data at the right place at the right time, which suggests processing should be accurate, authorised and timely.

• Confidentiality: The data held by the organization is confidential, and it is the organisation’s responsibility to keep the customers’ information unharmed and protected.

• Privacy: The service provider companies held covert information about the customers. The principle ensures that the statistics collected must be used, retained, disclosed and disposed of adequately.

The reports prepared after conducting SOC 2 audit are known as SOC 2 reports.

Yes, the SOC has the auditor’s opinion. A SOC shall contain the opinion of the auditor covering the following areas :-

• If the service organisation controls are fairly described.

• If the controls of the service unit are designed in an effective manner.

• If the service organisation controls are operating effectively over a set period of time (only Type 2)

If the above elements have been achieved by the organisation, the auditor would provide a clean opinion. If the above has been met, but the auditor has found significant exceptions (i.e. such that an objective was not in place or was ineffective), the auditor would issue an “amended opinion“. However, if the organisation physically failed one or more of the above elements, the auditor would issue a “negative” opinion.

• Type 1 report- It ensures that the vendors’ controls are suitable, placed accurately and operating on trust services criteria effectively. It describes a supplier’s system and whether its design is suitable for meeting relevant trust principles on a specific date.

• Type 2 report- It collects the information regarding every operation and monitors them. It focuses on the effectiveness of the controls. It describes the operating effectiveness of such systems for a specified period of time.

If an organisation holds a SOC 2 certification, it gives the customer security that the data will remain secure, hence they can provide you with their sensitive information.

It is not a legal requirement, but it gives leverage to an organisation in the industry. It protects you against data breaches and cyber-attacks and ensures privacy.

SOC 3, also known as System and Organisation Controls 3, works on the same lines as SOC 2. SOC 3 is intended for a general audience and keeps track of organisations’ security controls. It operates on Five pillars, also known as Trust service criteria(These pillars are the same for SOC 2).

• Security

• Availability

• Process integration

• Confidentiality

• Privacy

The reports prepared after completing the SOC 3 audit are known as SOC 3 reports. These reports are shorter and general in nature, hence can be shared openly with the general public on the company’s website with a monogram indicating SOC 3 compliance.

SOC 3 report is designed for Trust Service Criteria for General Use Report. It summarises the content of a SOC 2 report but excludes details of the tests performed and the results of these tests. A SOC 2 report must have been prepared to receive a SOC 3 report.

Performance and reporting requirements for a review of an entity’s cybersecurity risk management program and associated controls.

Which organisation requires a SOC report?

Any service unit that requires independent validation of powers relevant to the manner in which it transmits, processes, or stores customer data may require SOC compliance. Furthermore, due to the increased scrutiny of third-party controls, clients are increasingly demanding SOC Certifications from their organisations.

What determines the cost of a SOC report?

Achieving SOC compliance may not be costly, as soc 1 certification cost mostly depends on many factors such as the type and number of controls in place, the system complexity, related environmental control, etc. A Type 2 is more expensive than a Type 1 due to testing levels and documentation requirements.

In almost all cases, we recommend a readiness assessment prior to a business unit commencing a SOC review for the first time. As part of a readiness assessment, we will undertake a high-level assessment of power within the scope and document our findings. This gives the concerned organisation an opportunity to fill the gaps before we start the SOC reporting process. Moreover, much of this work can be utilised in the SOC.

Does the SOC have the opinion of the auditor?

Yes, the SOC has the auditor’s opinion. A SOC shall contain the opinion of the auditor covering the following areas:

• If the service organisation controls are fairly described.
• If the controls of the service unit are designed in an effective manner.
• If the service organisation controls are operating effectively over a set period of time (only Type 2)

If the above elements have been achieved by the organisation, the auditor would provide a clean opinion. If the above has been met, but the auditor has found significant exceptions (i.e. such that an objective was not in place or was ineffective), the auditor would issue an “amended opinion“. However, if the organisation physically failed one or more of the above elements, the auditor would issue a “negative” opinion.

Is it possible for someone to distribute a SOC for marketing purposes?

No, no one is allowed to circulate SOC 1 report and SOC 2 report for marketing purposes. In such a case, only the SOC 3 report may be distributed for marketing purposes. It is a general-use report as mentioned earlier, which means that the service provider is allowed to give this to anyone.

Question : What is SOC 2?

Answer : SOC 2 refers to a standardized form of auditing and reporting. It assesses the state of privacy and security of a service organization when it interacts with other businesses to process client data. Formerly known as the Service Organization Controls, the SOC now represents System and Organization Controls.

Question : What Is SOC 2 Certification or Compliance ?

Answer :  Attaining SOC 2 certification means ensuring compliance. And compliance with SOC 2 comprises meeting minimum levels of maturity and fidelity across the TSC.

Question : What are the Types of SOC Reports?

Answer : There are three types of SOC reports such as SOC 1, SOC 2, and SOC 3. SOC 1 is a report on service organization controls relevant to a user entity’s internal control over financial reporting.A SOC 2 report is needed when the vendor is providing services related to data security and storage. SOC 3 is also a trust services report for service organizations. It covers the same subject matter as a SOC 2 report but with some key differences.