This is a question we hear a lot at Ostendio, “Which SOC report do I need?”
Clients are often familiar with SOC (Systems and Organizational Controls) reports and the benefits to their organization of being able to demonstrate their data security program, but which one best fits their needs? Do they need a SOC report at all or would another framework better suit their needs?
Often, clients come to Ostendio because a customer has asked them for a SOC 2 report and they want to have one quickly to close a deal. The timeline required to pass a SOC 2 is often a surprise to those who don’t fully understand that this is a complex audit. However, most customers will accept the fact that their organization is currently going through SOC 2 audit preparation and intends to produce a SOC 2 report in the near future. Rather than just working towards one framework, organizations benefit from building a robust data security program with compliance to their chosen framework, like SOC 2, as a by-product of that work.
[Read more: 4 Essential SOC 2 Tips that will lead you to success]
Kevin Brown, Information Security Officer at Ostendio, offers this advice to clients building their compliance management programs. “Security is about more than complying with a framework. Organizations need to work on their data security and risk management planning, and with that discipline, they will develop the policies and procedures necessary to pass complex data security audits. Passing a framework should be a by-product of a successful data security program.”
Unfortunately, we regularly see claims that you can complete a SOC 2 in as little as 2 weeks. Our CEO, Grant Elliott, explains why it takes more than 2 weeks here. Automation of SOC reports has become a fad, and it can be dangerous to expect automation will quickly produce all the evidence you need for a worthwhile audit. In a recent blog post, Elliott warns about the continuing erosion of trust in the AICPA SOC 2 report which could lead to companies requiring their vendors and providers to request additional supporting evidence to demonstrate the strength of their data security programs.
This forecast is not due to the value of the SOC 2 report itself but rather to the increasing number of compliance platforms offering automated SOC 2 reports with claims that a SOC 2 report can be completed in as little as 2 weeks. Leading SOC 2 auditors, such as Advanced 360 and Aprio, assert that a credible, in-depth data security report cannot be completed that quickly while, at the same time, maintaining the rigor and detail that is required to bring value.
Unless the AICPA steps up and does more to maintain the integrity of the SOC 2 audit ecosystem, the value of the SOC 2 report will diminish and organizations will be forced to provide additional evidence to support their data security claims. Organizations will look for alternative frameworks and platforms that support a more robust data security program, and where credible auditors can conduct legitimate due diligence.
If you decide that a SOC report is the right choice for your business you will need to learn the basics.
A Systems and Organizational Controls (SOC) report provides guidance on standards that should be used for operational and technological business risks. There are 3 different SOC reports that can be applied to virtually any industry or business sector. In the past, SOC reports were focused on financial controls but now include all types of business risks that come with outsourcing including operations, data privacy, and compliance.
To determine which report is needed you first need to know they differ in the following ways:
SOC 1 is a report that’s financially focused. It’s an audit of the internal controls at a service organization that’s relevant to financial reporting (ICFR). These reports are intended for auditor-to-auditor communication.
SOC 2 reports are specifically designed to report on the controls that make up the 5 categories of the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 reports demonstrate that, at a particular moment in time, everything is correct and compliant and is, therefore, a report that’s recurring. They can be shared with customers, management, regulators, and third parties. As they contain sensitive information, a Non-Disclosure Agreement may be necessary before sharing.
[Read more: Health Recovery Solutions builds up security program within 6 months]
SOC 3 reports also focus on the Trust Services Criteria controls. However, unlike SOC 2 reports, SOC 3 reports can be widely shared. They’re considered “General Use” reports and offer a less detailed summary of the information. The same information as in a SOC 2 report needs to be considered, so it’s not uncommon for organizations to do a SOC 2 and then have the auditors write the SOC 3 summarizing the SOC 2 report. They can be a valuable marketing tool for demonstrating the effectiveness of your control environment.
Based on these factors you can begin to determine which report you need. A SOC 1 report is likely sufficient if you only require financial reporting. If you require any data security verification you’ll need a SOC 2 or SOC 3 report.
Gila Pyke is the Senior Director of Professional Services at Ostendio and she helps clients prepare for, and pass, complex security audits. She offers this advice to clients who are considering a SOC audit, “Preparing for a SOC audit is an opportunity to take an introspective look at how effectively you are operating your security controls. Finding a platform that helps you take a deeper look at how people, processes, and technologies in your environment are working together not only helps make for a more successful audit but also enables you to manage your security program and risks better. For first-timers or veterans with too much other work on their plate, I also suggest seeking expert support for your CISO or IT team. This will ensure they are not distracted from supporting your business while also preparing for the audit.”
Ostendio has experience helping companies prepare for and complete complex security audits. The Ostendio Professional Services team can also help clients as they implement their security programs. Engaging the Ostendio Professional Services team is the perfect solution to supplement your organization’s compliance team when you are setting up your security program for the first time or preparing for an audit. When you are ready to learn more, speak to one of our experts who can answer any questions and provide a demo of how the Ostendio platform could benefit your security program.