Service and Organization Controls report
Whether under American Institute of CPAs (AICPA) SSAE18, UK’s ISAE3000, or NZ’s SAE3150, a Service and Organization Controls (SOC) assurance report provides your customers insight into your organisation and assurance on the controls of your organisation. A SOC report can cover several control areas, ranging from governance, communication and risk management to technical security and privacy controls.
AICPA SOC2 Certification
SOC is the gold standard among the security and privacy certifications. It is highly recommended when you want to expand your business to overseas customers, especially to the USA. Our team will help you in implementing SOC1, SOC2 and SOC3 in a highly cost-effective way
When do you need a SOC report?
If you offer your services through your cloud (SaaS or IaaS) platform to your customers. Your customers might require you to have a SOC report as a service provider to have confidence and assurance in your controls to protect their data. In most cases, these customers are in the USA or have ties with the USA and sometimes the UK. Another reason you might want to pursue a SOC assurance statement is to attract more customers from the USA or UK. A SOC report, based on SAE 3402 or SSAE 16, is a powerful marketing instrument to attract the attention of customers, especially from these countries.
SOC 1,2 or 3 model?
Depending on the needs of your customers you can choose to pursue a SOC 1,2 or 3 assurance report. Note that SOC 3 is just a stripped public version of SOC1 or SOC2 that you can obtain after getting a SOC1 or SOC2 assurance report.
| Purpose of SOC report | Which controls are covered in your report | |
|---|---|---|
| SOC1 | Assurance for your customers financial statements | Controls relevant to your customers financial reporting |
| SOC2 | Assurance to customers or other stakeholders on Security, Confidentiality, Processing integrity, Availability and/or Privacy | Controls on Security, Confidentiality, Processing integrity, Availability and/or Privacy |
| SOC3 | To provide potential customers and the public assurance on your controls | General information on Security, Confidentiality, Processing integrity, Availability and/or Privacy |
| Report on | Testing | |
|---|---|---|
| Type 1 | Description of organisation’s systems and control objectives The auditor’s opinion on the fairness of that description The auditor’s opinion on the design of controls to achieve the control objectives | At a specific point in time |
| Type 2 | Description of organisation’s systems and control objectives The auditor’s opinion on the fairness of that description The auditor’s opinion on the design of controls to achieve the control objectives The auditor’s opinion on the operating effectiveness of the implemented controls to achieve the control objectives | Over a period, usually 6 months |
Type 1 or 2?
Besides the above-mentioned SOC models, there are two levels of assurance you can choose from for each of the models.
Method
Achieving a SOC assurance statement might seem to be an expensive and daunting process. But it really doesn’t have to be. We have developed an efficient method to help you achieve your SOC aspirations or obligations.
Next Steps
We provide you a free consultation to explain what SOC means to you, whether it is the best choice for your business and how that relates to your other certifications or compliance obligations. Contact us here for a free consultation.
