Building confidence through SOC 2 reporting
Today, extending core and non-core functions to outsource service providers (OSPs) are playing a vital role in helping companies increase their efficiency and profitability. In fact, outsourcing of IT has evolved into a strategic business practice and OSPs have become increasingly integrated with their clients’ day-to-day operations, often handling highly sensitive and critical information. This has the potential to profoundly impact their clients’ internal control framework, including compliance requirements.
Times are changing and the corporate Ireland scene is getting more dynamic and challenging. Business processes are getting increasingly complex and organisations are focusing on newer service delivery models as a way of managing increased technical complexity, tough competition and resource scarcity. Cloud computing, IT managed services and data centre hosting are emerging as the favoured business solutions. However, the question is – how would organisations have assurance that information entrusted to the OSPs are secured, available, protected and processed completely and accurately?
This is precisely where the SOC 2 report fits in. Most organisations that work with OSPs are familiar with SOC 1 reports, which cover internal controls over financial reporting (ICFR) and support a customer’s financial audit. SOC 2 reports, on the other hand, enter a more far-reaching domain, focusing on the OSP’s controls that are relevant to American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC):
- Security: The system is protected against unauthorised access (both physical and logical). The security TSP serves as the basis for all SOC 2 reports and is commonly referred to as the Common Criteria.
- Availability: The system is available for operation and use as committed or agreed.
- Processing integrity: System processing is complete, accurate, timely, and authorised.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s commitments and system requirements.
A SOC 2 report will be similar in structure and general approach to the traditional SOC 1 report with an option for a Type 1 or Type 2 report. A Type 1 only covers the design of controls, while a Type 2 covers design and operating effectiveness.
SOC 2 can be applied for regulatory or non-regulatory purposes to cover business areas outside of financial reporting. The report can be distributed to customers and other stakeholders to focus on system processing controls to meet their requirements. Many providers find that SOC 2 reports, typically updated every six to twelve months, often fulfil regulatory requirements while reducing many employee hours now spent completing multiple client audits, questionnaires, and surveys. More importantly, a SOC 2 report can help reinforce stakeholder confidence in an organisation’s operational performance, addressing concerns before they even arise.