AICPA (American Institute of Certified Public Accountants) announced in April 2010, the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. Originally designed SAS 70 audit was for financial and accounting auditing while SSAE 16 verified data center operational and security excellence.

Three other reports that described controls at a service organization followed SSAE 16, appropriately named Service Organization Control (SOC) reports. SOC 1 reports are primarily concerned with financial reporting controls, while SOC 2 and SOC 3 reports are concerned with standard benchmarks pertaining to security, availability, processing integrity, confidentiality, and privacy of a data center’s system and information. The SOC 3 is a public certification and shows the highest level of operational excellence in a data center.

Types of SOC Reports

SOC 1

Report on controls relevant to internal control over financial reporting (ICFR). The American Institute of Certified Public Accountants (AICPA) professional standards for issuing SOC 1 reports require that SOC 1 reports follow the Statement on Standards for Attestation Engagements (SSAE). Businesses that provide services affecting financial reporting for their clients should conduct SSAE 16 SOC 1 audits.

There are two kinds of SOC reports and audits:

Type 1: This assesses the design of security processes at a specific point in time.

Type 2: During a specified period, this type of report assesses the effectiveness of controls within a service organization to achieve its related aim, which also means this adds an historical element, showing how controls were managed over time.

SOC 2

SOC 2 audit reports provide detailed information and assurance about a company’s security, availability, processing integrity, confidentiality, and privacy controls based on their compliance with the AICPA’s TSC (Trust Services Criteria).

A SOC 2 audit is an important part of regulatory oversight, vendor management, and internal governance and risk management

There are two kinds of SOC reports and audits:

Type 1: This assesses the design of security processes at a specific point in time.

Type 2: During a specified period, this type of report assesses the effectiveness of controls within a service organization to achieve its related aim, which also means this adds an historical element, showing how controls were managed over time.

SOC 3

Similar to SOC 2 reports, SOC 3 reports report on controls related to security, availability, processing integrity, confidentiality, and privacy according to general Trust Service Principles. SOC 3 is an adaptation of SOC 2, which reports SOC 2 results in a format that is understandable for the general public. SOC 3 reporting is an excellent option for technology companies, similar to SOC 2.

Let us look at the following table to break it down further to understand the differences between SOC 1, SOC 2 and SOC 3 audits.

DESCRIPTION	SOC 1	SOC 2	SOC 3
Purpose	Report on financial controls	Report compliance with five trust principles: security, confidentiality, availability, privacy, and processing integrity	Report the same controls as SOC 2, but in a way that makes sense to the general audience
Audience	Mainly auditors	Customers and other stakeholders	General public
Example	Most companies processing financial data will require SOC 1 compliance	A database-as-a-service company is required to achieve SOC 2 compliance, before they can host sensitive data belonging to multiple customers	An organization that achieves SOC 2 compliance may also create a SOC 3 report to let the general audience know that it takes data security and privacy seriously
Advantages	• Work with customers that require SOC 1 compliance • Increase brand reputation • Assure your customers that you have all the right controls in place	• Work with customers that require SOC 2 compliance • Increase brand reputation • Assure your customers that you have all the right controls in place	Produce marketing collateral to spread the news of your compliance to a wider audience.

What are the benefits of SOC audits?

• SOC audits help you in improving your overall security outlook: SOC audits provide you with an independent, third-party review of your processes and controls. This can help you to find gaps or weaknesses in your processes and systems that could save you from a poor reputation by fixing them before your customers have any unpleasant experiences.
• Efficiencies: Another benefit is less time spent dealing with your customers’ auditors. This report will typically provide everything your customers’ auditors need. You can expect them to ask a lot of questions, or ask to come onsite and review your processes, controls, and operations if they don’t have a SOC audit done. You and your employees could encounter a lot of headaches as a result, and current customers may also suffer from the delays and errors.
• Differentiation: You increase your brand reputation as a security-conscious company and establish a formidable competitive advantage. In this aggressive and competitive market, this gives you an edge when companies are looking to choose their service providers.
• Overlap with other frameworks: SOC 2 requirements often overlap with other frameworks, like ISO 27001 and HIPAA, which means that you may end up killing two birds with one stone.
• Less scrutiny by Regulators: Achieving SOC compliance may help you avoid data breaches and the financial/reputation damage that comes with them thereby ensuring lesser scrutiny by Regulators.

What is Vanaps offering for SOC?

• Readiness Assessment
• Remediation support
• Testing and Reporting
• SOC Attestation Report (from our aligned CPA partner)

Our team of expert can assist you if you are ready to take the next steps to ensure that your company is conforming to industry standards that safeguard both you and your consumers.