Confirming the Quality of Your Non-Financial Controls
If you are a technology or cloud service provider, you have access to a lot of confidential customer data. People who use your services want to know that you are taking the necessary precautions to protect the data they entrust to your service.
A SOC 2 or SOC 3 report will provide your customers with data to understand any risk they face by outsourcing to your company. Both reports provide assurance on compliance or operations—are your controls effective for delivering your service to your customers. Built on the AICPA’s Trust Service Principles, these audits focus on controls relevant to:
- Processing integrity
SOC 2 and SOC 3 reports are similar, except that the SOC 3 report does not contain the details contained in a SOC 2 report.
Just like SOC 1, there are two types of reports available:
- SOC 2, Type I – A look at whether controls are properly designed, in place and documented as of a certain point in time.
- SOC2, Type II / SOC 3, Type II – A look at whether controls are properly designed, in place and documented across a period of time.
A SOC 2 report is generally restricted. This means that usage is limited to people that have knowledge of the service organization’s services and IT environment. On the other hand, a SOC 3 report can be shared with the public, and the service organization may place the SOC seal in their marketing materials.
SOC 2 and SOC 3 Experience: During a typical SOC 2 or SOC 3 examination, we’ll look at physical security, internet and infrastructure services, security administration, application security, controls over software changes, IT operations, systems and programming, general control environment and business continuity planning. Our SOC team consists of assurance, IT and internal control professionals who have performed examinations for a variety of businesses in the public, private and nonprofit space.
If you are looking for help with your SOC 2 or SOC 3 reporting requirements, contact us. We can help you understand what report you need and how to use it to your organization’s benefit. For more information on SOC reporting, read our SOC FAQs.