Top 5 Things to Know Before Requesting a SOC Report
From the AICPA website: Service Organization Controls are a series of accounting standards that measure the control of financial information for a service organization. They are covered under both the SSAE 16 and the ISAE 3402 professional standards.
It is common for entities to outsource business tasks or functions to service organizations, even those that are core to an entity’s operations. Although user entities may rely on a service organization to perform outsourced tasks or functions, the user entity still retains responsibility (and the risks associated) for the service it provides to its customers.
Service Organization Control 2, reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was formed under the AICPA Trust Services Principles and Criteria.
Top 5 Things to Know Before Starting Your SOC Report Project:
- Know the difference between SOC 1, SOC 2, and SOC 3. Each of these reports has a value and are used differently.
- Know the difference between a Type 1 report and a Type 2 report. A Type 1 is a review of the control environment, but does not review the effectiveness of testing the controls. A Type 2 DOES review the effectiveness of testing the controls.
- Know that a readiness exam is a good way to get the environment in shape, before spending tens of thousands of dollars on a report you may not like when finished.
- Know that in a SOC 2, you, not the auditors, select the trust service principals (TSP) you want to be included in the report. Security is mandatory in all SOC 2 reports, but the other 4 are at your discretion.
- Know that performing the review once, will be far cheaper than having all of your clients or potential clients examining your controls.