What Is SOC?

A man working at a computer.System and Organization Controls (SOC) is a process of evaluating service companies in a standardized way to show their compliance efforts. It evaluates in many domains, such as “Process” and “Security.” It is done by CPAs, (Certified Public Accountant) through an audit process.

The process is done in an audit of what SOC criterion is being evaluated and, generally, a SOC report is the outcome of the audit.

These reports allow organizations to evaluate the Service Company’s commitment to compliance in a standardized way. SOC reports build trust and confidence. The report also allows the companies that are under the service organization’s care to know whether or not the services they are providing are effective and helpful to their users.

But what is a service organization? Service organizations are businesses that offer outsourcing of essential functions used to help run your business. For example, a company that offers finance transaction services for restaurants, banks, and brokers is considered a service organization. SOC reports allow the customers of the finance transaction company to know how their services are being performed, and whether or not anything needs to be fixed within their system.

Many Types of SOC Reports

SOC reports come in two different SOCs and two different types,

  • SOC1 Type 1 – Point in time evaluation of Financial Controls (Not Applicable here)
  • SOC1 Type 2 – The same Financial Controls but tested over time and found to be working (Not applicable here)
  • SOC 2 Type 1 – Point in time evaluation of the service organizations Trust Services Criteria (Very Important Here)
    • Security
    • Availability
    • Processing
    • Integrity
    • Confidentiality
    • Privacy
  • SOC 2 type 2 – The same as SOC 2 Type 1 but tested over a period of time, generally a quarter, to ensure that the system is working. (Very Important Here)

Here is a more focused look on these types of reports:

SOC 1 Type 1 Report

This report is known as the Statement on Standards for Attestation Engagements 16. This report meets the needs of user entities’ management and auditors as they evaluate the effect of the service organization’s controls on a user entity’s financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.

SOC 1 Type 2 Report

This report is the same as SOC 1 Type 1, but the testing is not done at a single point in time, but rather, is tested over a period of time, such as a full quarter.

SOC 2 Type 1 Report

SOC 2 steps up the game, moving from simple CPA driven financial principles and moves into the other domains of trust called Trust Principles.

What Are the Trust Principles?

Trust principles are as follows:

  • Security. How protected is the system against those seeking unauthorized access?
  • Availability. How accessible are the services/products that the service organization is offering to the user?
  • Processing Integrity. Is or will the system meet its proposed duties?
  • Confidentiality. Is the data able to be encrypted in a way where only authorized users can understand its meaning?
  • Privacy. How well is the system storing, disposing of, collecting, and using the information in a way that protects it from the eyes of unauthorized users or other systems?

The SOC 2 Type 1 report shows that, at a point in time, the Service Organization had processes and controls in place to cover the TSC Principles tested for in the report.

SOC 2 Type 2 Report

Type 2 report is the same as a Type 1 but is tested through an audit over time. The audit is a systematic and independent examination of the services provider’s ability to securely manage their client’s data and allows them to guard the interests of the client’s organization. It also oversees the protection and privacy of the user’s clients. The audit was designed and developed by the American Institute of Certified Public Accounting (AICPA). The Type 2 report says not only does the Service Organization have the processes in place, but we have tested them over time, and the Service Company is using them.

SOC 2 Certification

To ensure that the results on the SOC 2 audit has not been tampered with and are fair, SOC 2 audits are always issued and carried out by outside auditors. This helps to ensure that there is no biased data. These audits, built to show as to how far the service organization in question is following the five trust principles, allow the user of the service organization to get an outside view of their service organization. This is vital, as the user needs to feel free to leave the service organization if they are not performing to a standard that helps meet and further the needs of the user. Each SOC 2 report is unique to the individual user.

The 5 Trust Principles in Further Detail

To get a clearer understanding as to what the service provider is seeking to accomplish for their users, it is important to know the five trust principles.

Security

Security refers to the system’s ability to keep unauthorized users away from a company’s data. A service organization is responsible for creating a system that creates helpful access controls that help protect the system from theft, abuse, or alteration. This can be accomplished in the form of IT security measures, such as creating a secure network or the application of firewalls.

Availability

Availability is used to show the accessibility of the system, products, or services to the users. When a service organization and a user begin working together, a contract, also known as the service level agreement, creates a minimum acceptable performance level for the system. This is meant to serve as a way for the user and the service organization to determine how well they are doing within any given audit period. However, this does not address how well the system is functioning or how user-friendly it is. This availability only refers to the user’s ability to access security-related functions that protect their data. This is accomplished through monitoring network performance and how available it is through any given time. A service organization’s ability to handle security incidents in a timely and thorough manner is critical for this principle.

Processing Integrity

Processing integrity sets the standard for whether or not a system is achieving its intended purpose. It answers questions such as, Is the data being delivered at the right time to the right place? For any company, it is essential that data processing be complete, thorough, up to date, and promptly handled by authorized personnel only.

It is important to keep in mind that this is not the same as data integrity. If the data contains errors before it was put into the system, then it is up to the user, not the service organization, to catch those errors. The service organization is only responsible for monitoring and handling data once it has been put into the system.

Confidentiality

Service Organizations are designed to ensure that the data that is placed into their care remains confidential and restricted. In other words, only those who have permission should be able to access any of the data. Therefore, service organizations encrypt data to ensure that the data cannot be read by prying eyes during the transmission/moving period. Other safeguards, such as secure networks, firewalls, and secure access controls, can be used to help strengthen the defense of the information that is being processed and later stored into the system.

Privacy

Privacy handles the system’s collection, use, disclosure, and disposal of personal information that falls under the user’s privacy notice. It also uses the criteria set by the AICPA’s general privacy principles. This is to ensure that the user’s and the user’s client’s information remains protected and secure, keeping it between the parties that are currently using it for their purposes. Information that generally falls under the privacy principle is as follows:

  • Name
  • Address
  • Social Security Number
  • Data related to sensitive health information

A Team That Cares

When it comes to finding the right IT outsourcing team to keep your business and client’s information and data secure, there is no one better than Blue Jean Networks. Our team understands the importance of keeping the trust between you and your clients. This is why we work endlessly to come up with new and innovative ways to ensure that your system is up to date, secure, and ahead of the data pirates that are scouring the web. Contact us today to learn more information about our services and to get a free consultation about setting up a secure and reliable IT team for your company!