NDNB is one of the world’s leading provider of SOC 2 Type 1 and SOC 2 Type 2 audit reports for Software as a Service (SaaS) cloud computing platforms. We have worked extensively with all major cloud computing platforms – SaaS, PaaS, and IaaS – developing auditing methodologies for ensuring complete coverage all of required controls.
NDNB. North America’s SaaS and Cloud Computing SOC 2 Experts
Additionally, we’ve successfully issued SOC 2 reports for clients that utilize the three (3) main cloud computing platforms – Amazon AWS, Microsoft Azure, and Google Cloud. And while the “big three” are generally used by service organizations for IaaS and also PaaS, other companies have nonetheless built out SaaS platforms for which they host their environments within Amazon AWS, Microsoft Azure, Google Cloud, along with other proprietary platforms.
Whatever your SOC 2 compliance reporting needs are for SaaS and other cloud computing environments, NDNB has the experience, knowledge and audit “know-how”. We have personnel on-board with multiple cloud computing certifications – individuals with years of experience working with Amazon AWS, Microsoft Azure, and Google Cloud.
SOC 2 for Software as a Service (SaaS) & Important Points You Need to Know
SOC 2 for Software as a Service (SaaS) is a hot topic these days – and for good reason – as SaaS platforms are being deployed all throughout the world, through every conceivable business sector, and various distributed models. With that said, the emerging “de facto” compliance mandate for SaaS platforms is the AICPA SOC 2 reporting framework, a technology-oriented assessment program that’s becoming very well-known, and for good reason. Take note of the following 6 important points regarding SOC 2 for Software as a Services (SaaS).
Pick the correct Trust Services Criteria: The five (5) Trust Services Principles (TSC) are the core elements of SOC 2 reporting, for SaaS entities, or any other organization. With that said, it’s important to determine which of the following five (5) TSP’s should be included within the scope of a SOC 2 Software as a Service (SaaS) report:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
For SOC 2 for SaaS, a best practice is to obtain test of controls relevant to such an industry, such as the Cloud Security Alliance (CSA) model, or other notable frameworks, and then position them accordingly into the various TSC. For example, if a particular framework – such as CSA – discussed physical security, this would fall under the “security” TSC for SOC 2 SaaS reporting.
The CSA framework is without question one of the very best set of controls found anywhere today for testing compliance for SaaS vendors under the SOC 2 compliance platform. In fact, the Cloud Security Alliance has even went as far as collaborating with the American Institute of Certified Public Accountants (AICPA) in developing such a framework for SOC 2 reporting.
Discuss Client Demands: Many times, it’s YOUR clients that are demanding SOC 2 compliance, therefore it’s important to ask, assess, and ultimately understand a client’s expectations for what’s included in such a report. Are there certain security parameters they want included? Are the aware of the actual Trust Services Criteria (TSC) what they constitute?
Asking the right questions before an engagement begins is critical. Imagine all the money and time spent on SOC 2 reporting, only to find out that your clients are expecting something more, different, or simply do not understand the contents of the report. Communication with all parties is critical for ensuring the success of any SOC 2 reporting engagement, so please keep this in mind.
Documentation is Essential: One of the cornerstone mandates for SOC 2 compliance assessments for Software as a Service (SaaS) is ensuring that all mandated information security and operational processes and procedures are in place. This means having comprehensive documentation that’s current, relevant, and highly accurate. Most businesses are very good at what they do, but lack the documentation stating what they do.
Annual Compliance is Now Mandatory: SaaS business models are growing aggressively, and because of this, and the functions they perform, undertaking annual SOC 2 reporting is the new “norm”, which means it’s important to seek out a CPA firm offering multi-year fixed fee rates, along with supporting resource.
With technology efficiencies growing by leaps and bounds every year – thanks in large part to SaaS offerings – these very platforms are being scrutinized like never before from a regulatory compliance perspective. Putting in place all mandated processes and procedures is an important component of SOC 2 for Software as a Service (SaaS) reporting.
Which Tools to Use: You may have found that during the SOC 2 scoping & readiness assessment you’ll need to develop not only information security policies and procedures that are missing and deficient, but also making numerous technical changes. Specifically, this could include adding File Integrity Monitoring (FIM), implementing anti-virus (AV), find a long-term vulnerability scanning solution for internal and external scans, and more. NDNB has years of experience in helping clients choose the right products from the right vendor, and at the right price. Compliance can be costly, particularly when you start purchasing additional hardware and software security solutions, so talk to NDB first.
North America’s SOC 2 Compliance Experts – Fixed-Fee Pricing