Demystifying SOC 2 reporting

This article is part of our ongoing SOC Insight series. Each piece focuses on a different area of SOC reporting and aims to answer the questions that are important to your business. Read more to learn why SOC reporting is about much more than checking a compliance box

Across a wide range of industries, companies are hiring third-party service organizations that will have access to their sensitive data at a growing rate. This trend has resulted in a greater-than-ever need to require that these third party service organizations have effective and transparent information technology controls. To demonstrate this, many service organizations are sinking a lot of time and effort into completing a variety of questionnaires, audit requests and other ad hoc inquiries for customers who demand insight into how their sensitive data is being controlled.

When it comes to insight on controls, familiar reporting standards such as System and Organizations Controls (SOC) 1 are focused entirely on financial reporting objectives and cannot be used to cover broader objectives, such as those related to data confidentiality, availability or privacy.

Enter SOC 2. The SOC 2 report has a similar look and feel to SOC 1 but focuses on controls aligned to the five Trust Services Principles developed by the AICPA to manage and protect customer data. Service providers that complete SOC 2 reports can demonstrate that their customer’s data is secure, available when needed and processed in a way that maintains its integrity. If data sensitivity or personally identifiable information (PII) is a primary concern, the SOC 2 report can show that controls for confidentiality and privacy are in place. (For more on the Trust Service Principles underlying SOC 2, see “SOC 2 and 3: Building customer trust through controls reporting.”) As such, SOC 2 reports can be applied to a broad array of situations to help third party organizations demonstrate trust and transparency to their clients once they acquire customer data.

The purpose and scope of a SOC 2 report

Because the narrow lens of SOC 1 focuses only on financial reporting, it is primarily a report created by auditors for auditors. SOC 2 reports, however, are designed to be easily understood and used by those with a basic understanding of internal controls. Leaders in internal audit, risk management, operations, business lines and IT—and even regulators—can all use SOC 2 reports to gain insights into the design and operating effectiveness of controls managed by service organizations. In doing so, they can reduce the need for certain bespoke monitoring activities and allow for comparability between vendors.

The scope of a SOC 2 report includes assessments of a service organizations system of controls related to customer data focused on the following areas:

• Infrastructure: The collection of physical and virtual resources that support the overall IT environment used by the service organization to provide its services
• Software: The applications and system software that the service organization uses to support data processing
• People: The personnel involved in the governance, management, operation, security and use of the system providing services to customers
• Data: Transaction streams, files, databases and other output files and data used or processed by the organization’s system
• Procedures: The automated and manual procedures related to the services that the organization provides to customers

SOC 2 reports may be used by any industry and can benefit many stakeholders. Service providers can use this single report to satisfy the needs of multiple constituents and meet their contractual commitments over the diverse set of controls covered. In some cases, more transparent controls reporting can deliver a competitive advantage, particularly for prospective customers. Those customers can take their vendor’s SOC 2 assessments and use them to reduce their own cost of compliance. This is achieved when they receive reports under standardized criteria—and the results of controls testing that mitigate these risks—issued by an independent auditor.

Getting started with SOC 2

Before a service organization completes a SOC 2 report, internal stakeholders should have an initial conversation with an independent service auditor to be sure that both parties understand the organization's objectives. This conversation helps to verify that the scope of the report addresses customer expectations. Then the organization will likely carry out a readiness assessment, performed by the independent auditor and shared with its management team, to identify any potential gaps. Next, to close those gaps, companies undergo a period of remediation in which controls are designed—or redesigned—and implemented. Once a robust and stable control environment is in place, the SOC 2 reporting process may begin.

***

Five years ago, SOC 2 reports were generally produced only by data center providers, hosting facilities and cloud computing providers. But, as the scope of SOC 2 reports available across markets and sectors has expanded from coverage of data security, availability and processing integrity into data privacy and confidentiality (fueled by increased customer demand for greater vendor transparency), more companies from different industries—such as banking, asset management and insurance—have followed suit. These organizations and their service providers can all benefit from the assurance that SOC 2 provides. For the organization, it provides a more cost effective way to oversee their own vendors. For the vendor, it reduces the amount of due diligence requests they receive, allowing them to focus on growing and developing their business. And as greater awareness and requests for independent assessments of controls beyond financial reporting become the norm, the benefits will only become more visible.