If you’re a regulated organization, you likely already understand that you should be asking many of your vendors for a SOC report, especially your critical or high risk vendors.
Have you noticed that some vendors give you a SOC 1, others give you a SOC 2 and sometimes a vendor will give you both? A few may even give you a SOC 3. There is a big difference between the various types of SOC reports and the differences are not obvious to the uninitiated.
Differences Between SOC 1, 2 and 3
Brief SOC Background
The SAS 70 was replaced by an SSAE 16 – Statement on Standards for Attestation Engagements (SSAE) No. 16. Let’s be clear. We’re talking about the original definition of a SAS 70, not what it evolved into over the approximate 20 years it was in place in the market. The old SAS 70 and the SSAE 16 were very similar but the SSAE 16 had a few upgrades like an attestation by a company’s management confirming the described controls are in place and functional.
In May 2017, the SSAE 16 was superseded by the SSAE 18. The SSAE 18 provides the guidelines for SOC reporting and requires your vendor to outline their vendor’s functions being provided by the subservice organization and the assumed controls that have been put in place (your fourth parties).
A SOC 1
A SOC 1 addresses internal controls that are relevant to a company’s internal control over financial reporting. By definition, a SOC 1 is designed to review a vendor’s financial and accounting controls. In other words, how well do they keep their books?
Additionally, there are two different types of SOC 1 reports – a SOC 1 Type I and a SOC 2 Type II. The difference? A Type I report audits controls as of a point in time (a single date). A Type II report covers controls that were in place and operating for a period of time. A Type II report is always better than a Type I because it tests control effectiveness over a period of time. A type I report, often times, does not test controls.
A SOC 2
Most of the time, the SOC 2 is probably the report you really want. It’s most definitely the report you want from an IT type vendor. Unfortunately, because of the evolution of the old SAS 70 over the years, many folks erroneously believe that a SOC 2 report is the next level up from a SOC 1 and this couldn’t further from the truth. One is apples the other is oranges.
A SOC 2 report is an examination on a service organization's controls over one or more of the following five (5) Trust Services Criteria (TSC):
- Processing Integrity
A SOC 2 is the only audit (and report) that defines a consistent set of criteria specifically around the products/services that a company provides (to you). If you want a measure of how your vendor provides a secure, available, confidential and private solution, there’s only one way to get that assurance: ask for a copy of their independently audited SOC 2 report.
And just like the SOC 1, SOC 2s come in two different flavors, too. A Type I affirms controls are in place. A Type II confirms the controls are in place and are actually working. So, yes, SOC 2 Type II is the best representation of how well a vendor is doing when it comes to managing and safe-guarding your data. However, keep in mind as you review that the controls are created by the vendor and tested by an auditor or CPA firm.
A SOC 3
Once again, don’t be fooled into believing that if a SOC 2 Type II is highly valuable that a SOC 3 must be the greatest of all SOC reports. It’s not.
From this author’s perspective, I’d much rather have a SOC 2 Type II any day of the week over a SOC 3. While the SOC 3 is likely to have some of the components of a SOC 2, it’s not going to be as comprehensive.
Why? It’s designed to be made available publicly (without the requirement of an NDA) so by nature it’s less detailed/less technical and, therefore, will not contain the same level of otherwise critical information (to you) that a SOC 2 Type II contains. Basically, it’s a high-level summary of a SOC audit that comes with a seal of approval a vendor can post on their website.
A SOC 3 can be used for the initial early upfront due diligence phase of a vendor until you have determined if they are a serious prospect.
Request and Analyze SOC Reports on Your Vendors
In the end a SOC report is an invaluable report to request to verify your vendor has sufficient controls in place and that the controls are operating effectively. Analyzing a SOC report – whether it be a SOC 1, 2 or 3 – assists greatly with ongoing monitoring and ensuring compliance with regulatory expectations.
Dive deeper into the importance of SOC Reports and how to review them. Download the eBook.