Does Your Organization Need SOC 1 or SOC 2?
What is SOC 1 (SSAE 16)?
Not so many years ago, publicly traded businesses typically would conduct annual SAS 70 audits and feel content, knowing that an external auditor determined that their ducks were in a row. If they relied on a vendor in ways that might measurably affect their own internal controls over financial reporting (e.g., their bottom line), then they would choose a vendor who also produced an SAS 70 audit each year. Created by the American Institute of Certified Public Accountants (AICPA) in 1993, and based on earlier versions of service auditor reporting, SAS 70 was evidence that an organization was audited by a qualified third party to ensure that valid internal controls were in place to protect against threats like corruption and risk. Of course, all things change and in June of 2011 SAS 70 was replaced with SSAE 16 (Service Auditors to the Statements on Standards for Attestation Engagements No. 16). Also known as SOC 1, these Service Organization Controls are very similar to what was contained in SAS 70. As a result, companies which conducted SAS 70 audits in the past have simply switched over to SOC 1. Well, it’s not quite so simple though. As IT has changed the nature of business and how we conduct business, the need for a third party auditor to scrutinize the inner workings of an organization has grown.
How about SOC 2?
To better address the diverse needs of different entities, the AICPA created SOC 2. The official determining factor when choosing between SOC 1 and SOC 2 is whether or not an organization’s controls would affect their clients’ internal control over financial reporting. In layman’s terms, SOC 2 focuses on important policies and procedures not directly tied to revenue. SOC 2 was crafted to address the needs and concerns of a world where hackers and neer-do-wells from anywhere on the globe peck around to steal financial and computing resources, as well as personal information. As a result, a SOC 2 report focuses on at least one of these five principles:
- Security: The system is protected against both physical and logical unauthorized access.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.
Which one should you choose for your enterprise?
So, which is best for your organization and what should you require of vendors you rely upon? It really depends on your particular situation. If you’re publicly traded, then SOX already requires SOC 1. If you’re a privately held start-up which relies on IT infrastructure to conduct your business, then SOC 2 might be the better route for you to take, with a focus on security and availability to ensure that everything is secure and always up as you focus on growth and seek private investors.
In some circumstances, a business might determine that a combination of both SOC 1 and SOC 2 are necessary to ensure the broad range of their controls are effective. I think we’ll be seeing more of that in the next few years as businesses seek to meet the demands of their various stakeholders. If you process a lot of credit card transactions then you might already be required by your merchant bank to pass PCI DSS, which requires an entity to adhere to a broad range of IT best practices and includes vulnerability scanning to verify if your servers associated with credit card transactions are up to date and secure. In many cases, that’s a good combination. For example, XMission conducts annual SOC 1 audits with A-lign, a reputable CPA firm, and maintains PCI DSS compliancy with the most rigorous SAQ (Self-Assessment Questionnaire) validation, Type 5: SAQ v2 D. As a colocation and cloud hosting provider, among other things, this complementary blend enables us to cover a broader range of controls than either do alone so we can meet the requirements of our diverse customer base.
Looking for a hosting provider who can help you meet your organization’s auditing requirements? Contact XMission today.