Service Organization Control (SOC) Reporting, which consists of SSAE 16 SOC 1, SOC 2, and SOC 3 reporting, was developed by the American Institute of Certified Public Accountants (AICPA) as a comprehensive replacement to the now historical, one-size fits all SAS 70 auditing standard. SOC 1 reporting utilizes the SSAE 16 professional standard, while SOC 2 and SOC 3 incorporate the AT 101 standard, ultimately resulting in three (3) different types of reporting options for today’s service organizations.
Though there are a number of critical elements that helped shape and ultimately form the new AICPA SOC reporting framework, it's equally important to note that each of the three (3) SOC options are aimed at very specific needs and reporting requirements for service organizations themselves. In short, thankfully, the SAS 70 auditing standard is gone, replaced by a new and dynamic – and much better aligned – options for reporting on controls at service organizations. NDNB provides SOC audits for businesses all throughout North America. Let’s take a look at how each of the three (3) SOC options size up in today’s market and who their intended audience is:
SOC 1 Reports: Reporting on controls relevant to internal control over financial reporting (ICFR). Please note that SOC 1 reports are conducted in accordance with Statement on Standards for Attestation Engagements (SSAE), which is the American Institute of Certified Public Accountants (AICPA) professional standards for issuing SOC 1 reports. In short, businesses performing services that could impact financial reporting for their clients should be performing SSAE 16 SOC 1 audits.
SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, and privacy. As for SOC 2 reports – and SOC 2, discussed below – they are to be conducted in accordance with the AICPA AT Section 101, utilizing the accompanying Trust Services Principles (TSP) and related Common Criteria for each respective TSP. Thus, businesses heavily involved in information technology – data center SaaS vendors, and others – should be performing SOC 2 reports.
SOC 3 Reports: Similar to SOC 2, SOC 3 reports are for reporting on controls relevant to security, availability, processing integrity, confidentiality, and privacy in accordance with general Trust Service Principles. The biggest difference between SOC 2 and SOC 3 reports is that SOC 3 is a general purpose report, while SOC 2 is much more restricted, intended only for authorized parties. Much like SOC 2, technology companies are a great fit for the SOC 3 reporting option.
2. A Readiness Assessment is Top Priority: While every component of the SOC 2 audit process is important – from remediation to developing policies, testing procedures, report review, etc. – it’s fundamentally critical that every service organization also perform a SOC 2 readiness assessment. Brief, cost-effective, yet highly essential, a SOC 2 readiness assessment helps unearth, clarify, distill, and make sense of the entire auditing process from beginning to end. Specifically, it helps in identifying critical gaps and deficiencies, scope issues, personnel to be involved in the audit, physical locations to travel to, and much more.
3. Understand the SOC Differences: While we provided a brief overview of each of the AICPA SOC reporting platforms – SOC 1, SOC 2, and SOC 3 – just remember the following: SSAE 16 SOC 1 audits are generally performed on service organizations that are offering services that can impact their clients financial reporting. As for SOC 2 and SOC 3, such assessments are performed on many of today’s growing technology industries and sectors, such as data centers, SaaS, PaaS and IaaS entities, software developers, and more. You may still find many technology entities obtaining annual SSAE 16 SOC 1 reports – but in reality – it is technically the incorrect assessment, with SOC 2 being the much better approach.
4. Technical Remediation is Often Essential: Additionally, technical remediation is often high on the list, such as changing and re-configuring security settings for creating stronger passwords, more stringent firewall rulesets, etc. Both the policy remediation and technical/security remediation can be incredibly time-consuming – no question about it – and it’s why NDNB offers complimentary SOC 1, SOC 2, and SOC 3 Policy Packets to all of our valued clients.
What’s interesting to note about technical remediation is that when done properly, not only does is greatly increase the safety and security of your I.T. landscape, it also helps when it comes to other compliance frameworks, such as PCI DSS, HIPAA, GLBA and others. You’re essentially getting a two-for-one, so the importance cannot be overlooked.
5. Implement “Continuous Monitoring”: Internal controls need to be assessed and effectively managed on a structured, regimented basis for helping ensure the safety and security of critical organizational assets. While SOC 1, SOC 2 and SOC 3 assessments are no doubt beneficial in assessing annual compliance for service organizations, a process must be in place internally for monitoring such controls, hence, “continuous monitoring”. NDNB offers forms and checklists for helping service organizations monitor such controls on a regular basis – a must for regulatory compliance, and essential for I.T. best practices in today’s world of cybersecurity threats and other attack vectors.
6. Compliance is an Annual Commitment: There’s no “and done” in the world of SOC 2 compliance, not for the vast majority of service organizations. Why? Because customers, prospects – and other intended users of such reports – want assurances on an annual basis of your internal controls; your policies, procedures, and processes. For this reason, doesn’t it make sense to partner with a firm with years of regulatory compliance expertise, an organization capable of providing fixed-fees services? It does, so contact NDNB today. From SOC 2 readiness assessments to policy templates, and more, NDNB should be high on your list when it comes to finding a provider for today’s complex compliance services.
If you think regulatory compliance is challenging now – just wait a few years – there’s even more mandates coming out of the halls of Congress. Get ready and prepared; call NDNB today and speak to the experts who know regulatory compliance better than anyone else.
7. Why Choose NDNB: Because we have an expert staff of seasoned auditors, cybersecurity experts, CPA’s, information technology experts – and more – all ready to roll up their sleeves and help businesses become SOC 2 compliant. From readiness assessments to remediation services, along with issuing SOC 2 Type 1 and SOC 2 Type 2 reports, NDNB is one of North America’s most trusted names when it comes to regulatory compliance. We also offer fixed-fees for all our services, and that includes HIPAA compliance, GLBA assessments, and more.
8. Next Steps: NDNB is one of North America’s unquestioned leaders when it comes to regulatory compliance services, offering high-quality, fixed-fee pricing for SSAE 16 SOC 1, SOC 2, SOC 3, HIPAA, GLBA, PCI DSS compliance, along with services for many other specific compliance mandates. Our talented staff of auditors have been working in the cybersecurity and compliance field for years, allowing them to offer unprecedented levels of efficiency and affordability, so let’s talk about your needs today.
NDNB | North America’s Leading SOC Compliance Firm
It’s an entirely new world in regulatory compliance, one that permeates into every conceivable industry in today’s business sectors, and it’s why professionals turn to the experts at NDNB Accountants & Consultants, LLP (NDNB). Not only are we the recognized experts for SOC 1, SOC 2 and SOC 3 reporting for the North American market, we also offer our clients fixed-fee pricing, along with superior audit support services from day one.