04-11-19 | References

What is a SOC 2 Report?


Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially SOC 2. But what is a SOC report? Which one do you need? Why is a SOC 2 report so important? Do you actually need it, or is it something that just looks good on paper?

What is a SOC 2 report?

A SOC 2 report is “designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations,” according to ssae16.org. If a SOC 1 report handles the financial transactions a company makes, SOC 2 reports on the security behind those financial transactions, making it more relevant than ever in the growing wake of credit card fraud and data breaches. Now that you know what a SOC 2 report is in basics, we can dive in to more detail about how it relates to your company.

What’s in a SOC 2 report?

There are five Trust Services Principles, or criteria, that comprise a SOC 2 report:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality, and
  • Privacy

Unlike PCI DSS, which has very explicit requirements, SOC 2 requirements allow more flexibility for the data provider to decide how it wants to meet the criteria. Therefore, SOC II reports are unique to each company. Essentially, the provider looks at the requirements, decides which ones are relevant to their business practices, and then writes their own controls to fit those requirements. The data provider can write extra controls as needed, and disregard others if they are not relevant to what they are doing if they so choose.

The SOC II audit is simply the auditor’s opinion on how that organization’s controls fit the requirements. This makes the auditor’s reputation very important to SOC II reporting, because an auditor who has had many years of experience in SOC reporting will more likely have a more thorough understanding of SOC controls and the best practices to apply to them. The end result of a clean (passed) opinion is that, according to the auditor, the data provider can be trusted as a secure hosting company.

SOC 2 hasn’t changed since it was first implemented, has it?

No. The only thing that’s changed about it is that the criteria within the five Trust Service Principles has been rearranged and refined to be more security based than before. The five principles themselves are still the same, allowing data providers to decide how they want to meet the controls.

Why is a SOC 2 report so popular right now?

The biggest reason is because SOC 2 reports on the security behind highly sensitive transactions, as mentioned above. People want to be able to trust their data providers to be in compliance with confidential security information standards, and a clean SOC 2 report means companies can depend on their hosting provider for secure, compliant hosting. That in turn means less worry for the end customer, and less investment on their part in controls.

It’s important to remember that the customer still has the same responsibility to be compliant with what a SOC 2 report requires, such as company policies and procedures, just like the vendor.

What’s the difference between SOC 1 and SOC 2?

SOC 1 reports are “important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations,” (aicpa.org), whereas SOC 2 reports “are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.” (aicpa.org)

In layman’s terms, SOC 1 reports on the financial controls, and SOC 2 reports on the security behind those controls. Each report uses different standards—Standards for Attestation Engagements 16 for SOC 1, and Attestation Standards 101 for SOC 2. In addition, a SOC 1 report is a report generated by auditors for other auditors, whereas SOC 2 reports have more sensitive information and are not shared outside the company with anyone.

Who needs a SOC 2 report?

If you’re a data provider that stores or processes financial information, absolutely. If you’re a company looking to outsource your data storage of financial information and need a provider that is secure and compliant, a SOC 2 report will go a long way towards fulfilling that obligation. If your current or potential vendor is not willing to share their reports, consider another provider.

How long is a SOC 2 report valid for?

SOC 2 reports don’t have a fixed validity period set by the American Institute of Certified Public Accountants (AICPA), the organization responsible for the SOC 2 framework. The duration of validity for a SOC 2 report depends on several factors, including the evaluation period, issuance date, and the requirements of the requesting organization.

Typically, SOC 2 reports cover a specific evaluation period during which an independent auditor assesses the controls and processes of the service organization. The length of this evaluation period is determined based on the organization’s unique circumstances. Once the audit is complete, a SOC 2 report is issued with a specific date.

The validity of the report is generally tied to the evaluation period and issuance date. It provides a snapshot of the service organization’s controls and processes during that particular timeframe. Over time, as the organization’s environment and operations change, the report may become less relevant and outdated.

The organizations relying on SOC 2 reports, such as customers, partners, or regulators, may have their own requirements regarding the acceptable age of the report. Typically, they prefer recent reports, usually within the past 12 months, to ensure the information reflects the current security posture of the service organization.

Ok. What about SOC 3?

The SOC 3 report is a public-facing document that gives a high-level overview of information in the SOC 2 report. A SOC 2 report has a lot of sensitive information about specific systems and network controls, and if it falls into the wrong hands, it could cause a lot of headaches for an organization. Therefore, a SOC 3 report is used as the front-facing report, such as marketing materials. Think of it as the abstract of a master’s thesis.

For more information on SOC reports, and SOC 2 specifically, the American Institute of CPAs is a good place to start. You can also find additional resources on SOC 1, and the differences between SOC 1 and SOC 2 or visit www.ssae16.org.

A culture that’s compliant to the core

At OTAVA, cloud compliance and security are practices that are natively baked into our people, processes, and technologies, not bolted on afterwards. Our defense-in-depth approach encompasses administrative, physical, and technical safeguards to protect your data in not one but three ways. We offer a whole host of cloud security compliant solutions that keep mission-critical data and systems safe and protected. If a personalized, compliant solution is what your organization needs, talk to an OTAVA rep today!

Related articles:

Data Center Standards Cheat Sheet: From HIPAA to SOC 2
With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data center audits and reports.

A SOC of A Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16
If you’re in a business that needs to meet Sarbanes-Oxley compliance, you probably know by now that the SAS 70 report expired earlier this year and was replaced with the SSAE 16 attestation. SSAE 16 is a lot like SAS 70, but adds an attestation set forth and signed by a company’s management that confirms that the described controls are in place and functional.

SOC 1, SOC 2 & SOC 3 Report Comparison
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify data center operational and security excellence.

About Otava

OTAVA provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, OTAVA’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid clouddata protectiondisaster recoverysecurity and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved