SOC 2 reports, which will come to be known as Reporting on Controls Relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy, are to be conducted in accordance with AT Section 101. Thus, SOC 2 will effectively insert itself as the primary reporting option to be used for service organizations reporting on controls outside the scope of financial reporting. In simpler terms, Software as a Service (SaaS) companies, software development entities, cloud computing organizations, data centers, managed services, and many more, will be using the SOC 2 framework for reporting on controls. And much like SOC 1 reporting, a service organization can either be issued two (2) type of SOC 2 reports, a Type 1 and a Type 2.
If you stop and think about it, this is quite significant for a number of reasons. First and foremost, the SOC 2 framework is specifically geared towards the exponential growth of technology and security related service organizations, of which many provide outsourcing services to user entities. Second, it hopefully will correct a huge misunderstanding within the business community at large; the myth that SAS 70 was an all-in-one reporting standard for any type of service organization. As you now know, this is simply untrue and we now have an acceptable and viable reporting option for controls outside the scope of financial reporting.
Lastly, SOC 2 reports are designed to address generally the following key system attributes and traits:
- Availability: That the system is available for operation and use as committed or agreed.
- Security: That the system is protected against unauthorized access, both physically and logically.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
As a service organization, you will need to evaluate your current compliance requirements and commitments to your customers and start to ask yourself what reporting option do "we" fall under, SOC 1, SOC, or even SOC 3? If you have been receiving SAS 70 audit reports from your CPA firm in the past, what do your customers expect in the future? More importantly, what is the correct SOC reporting framework that "we" should adhere to? NDB Accountants and Consultants can help answer these pressing questions regarding the new compliance requirements with the SOC framework.
When you add it all up, phrases like SOC 1, SOC 2, SOC 3, SSAE 16, and AT Section 101 can become quite confusing. Get the facts and speak to an expert. Call Chris Nickell, CPA, directly at 1-800-277-5415, ext. 706 to get the answers you need. Furthermore, you can email Chris at This email address is being protected from spambots. You need JavaScript enabled to view it..