If you’re a bank or credit union then you likely already understand that you should be asking many of your vendors for a SOC report, especially your critical or high risk vendors.
Have you noticed that some vendors give you a SOC 1, others give you a SOC 2 and sometimes a vendor will give you both? A few may even give you a SOC 3. There is a big difference between the various types of SOC reports and the differences are not obvious to the uninitiated.
First, let’s go back a few years. You used to ask your vendors for a SAS 70 (Statement on Auditing Standards No. 70) report. Originally, the SAS 70 was intended to be an audit conducted over "internal controls over financial reporting". But, because the SAS 70 strayed far away from its intended use, the Auditing Standards Board of the American Institute of Certified Public Accountants created the SOC framework.
A SOC 1
The SAS 70 was replaced by an SSAE 16 (Statement on Standards for Attestation Engagements (SSAE ) No. 16). Let’s be clear. We’re talking about the original definition of a SAS 70, not what it evolved into over the approximate 20 years it was in place in the market. The old SAS 70 and an SSAE 16 are very similar but the SSAE 16 has a few upgrades like an attestation by a company’s management confirming the described controls are in place and functional.
Oh, and by the way, a SOC 1 and an SSAE 16 are the exact same thing. Same book, different title – either one works.
So what does a SOC 1 cover?
A SOC 1 addresses internal controls that are relevant to a company’s internal control over financial reporting. By definition, a SOC 1 (aka SSAE 16) is designed to review a vendors financial and accounting controls. In other words, how well do they keep their books?
Do not confuse a SOC 1 report with having anything to do with IT controls.
Additionally, there are 2 different types of SOC 1 reports - a SOC 1 Type 1 and a SOC 1 Type 2. The difference? A Type 1 report audits controls as of a point in time (a specific date). A Type 2 report covers controls that were in place and operating for a period of time. A Type 2 report is always better than a Type 1 because it will include a description of any significant changes to the system during that period.
A SOC 2
Most of the time, this is probably the report you really want. It’s most definitely the report you want from an IT type vendor. Unfortunately, because of the evolution of the old SAS 70 over the years, many folks erroneously believe that a SOC 2 report is the next level up from a SOC 1 and this couldn’t further from the truth. One is apples the other is oranges.
A SOC 2 report is an examination on a service organization's controls over one or more of the following five (5) Trust Services Principles (TSP):
- Processing Integrity
A SOC 2 is the only audit (and report) that defines a consistent set of criteria specifically around the products/services that a company provides (to you). If you want a measure of how your vendor provides a secure, available, confidential and private solution, there is only one way to get that assurance: ask for a copy of their independently audited SOC 2 report.
And just like the SOC 1, SOC 2’s come in two different flavors too. A Type 1 affirms controls are in place. A Type 2 confirms the controls are in place and are actually working. So, yes, SOC 2 Type 2 is the best representation of how well a vendor is doing when it comes to managing and safe-guarding your data. However, keep in mind as you review that the controls are created by the vendor and tested by an auditor or CPA firm.
A SOC 3
Once again, do not be fooled into believing that if a SOC 2 Type 2 is highly valuable that a SOC 3 must be the grand pumba of all SOC reports. It’s not.
From this author’s perspective, I’d much rather have a SOC 2 Type 2 any day of the week over a SOC 3. While the SOC 3 is likely to have some of the components of a SOC 2, it’s not going to be as comprehensive.
Why? It’s designed to be made available publicly (without the requirement of an NDA) so by nature it is less detailed/less technical and therefore will not contain the same level of otherwise critical information (to you) that a SOC 2 Type 2 contains. Basically, it’s a high level summary of the SOC 2 audit that comes with a seal of approval a vendor can post on their website.
A SOC 3 can be used for the initial early upfront due diligence phase of a vendor until you have determined if they are a serious prospect.