For nearly 20 years, the SAS 70 auditing standard was the accepted method of assessing a service organization’s data security processes and policies. But now, AICPA SOC (Service Organization Control) reports are considered to be the preferred method. There are actually three different SOC reporting options – SOC 1, SOC 2 and SOC 3. This is a major change, so it’s important that you are aware of them and how they could impact your company. Here are five important points you need to consider when it comes to proving the effectiveness of your data security strategies.
1. There’s a New Sheriff in Town
These days, it’s definitely a SOC world. The importance of the shift from SAS 70 to SOC really can’t be understated – it’s monumental. The American Institute of Certified Public Accountants (AICPA) replaced SAS 70 with a new standard, known as SSAE (Statement on Standards for Attestation Engagements) 16, then SSAE 18. SSAE 18, the new de facto standard for compliance reporting, sits under the umbrella of the SOC framework. SOC 1, SOC 2 and SOC 3 reports lie within this framework.
The AICPA changed the standard in an effort to not only modernize data security reporting, but to also take a more global approach. There is an international equivalent of SSAE 18, known as ISAE3402.
SAS 70 was more of a one-size-fits-all auditing protocol. SSAE 18 is not only more robust, it also offers superior scalability and flexibility. It does a much better job of handling today’s complex business and IT controls. While trying to comprehend all of this may make your eyes glaze over, just keep in mind that this is a very positive development. Not only do you have a wide range of auditing options from which to choose, you also have a company – NDB – that will help you make the right decision. Not only do we offer the highest quality assessment services, we provide those services at fees that don’t fluctuate.
2. SOC 1 Reports Take the Lead
The demise of SAS 70 has cleared the way for a new leader in data security compliance, and SOC 1 is it. SOC 1 provides flexibility in reporting options that work in conjunction with SSAE 18. There are two types of SOC 1 reports. SOC 1 Type 1 reports look at an organization’s internal controls on a specific date – such as September 30, 2021. SOC 1 Type 2 reports, on the other hand, look at a broader timeframe – typically at least six months.
One of the reasons the SSAE 18 standard has gained such widespread acceptance goes back to the flexibility mentioned earlier. They provide a framework that addresses the nexus between service organizations and the third-party entities with which they share data.
There is still an argument over whether the SOC 1 or SOC 2 audit protocol (which we’ll address in further depth in the next section) is the best method for assessing data security effectiveness. There are many types of technical operations, such as managed services providers and data centers, that use SOC 1 audits. However, as you’ll learn later, the SOC 2 reporting option is gaining a great deal of traction.
3. The Emergence of SOC 2
Acceptance of SOC 2 is gradually increasing. Bottom line, it’s growing as a legitimate alternative for cloud computing entities, data centers, and other technology-based service organizations. SOC 2 reports fall under the AT (Attestation Standards) 101 professional standard, while SOC 1 reports fall under the SSAE 18 standard. We believe that the momentum of SOC 2 will continue to increase as companies get a better understanding of its value.
Why does SOC 2 acceptance continue to grow? One of the biggest reasons is that it incorporates Trust Service Principles (TSPs). These comprise the following:
- Processing Integrity
A SOC 2 report is extremely transparent, and will give not only your customers, but also their auditors and investors, confidence that you have effective controls in place regarding the security of your data. It shows that your employees, your software and your infrastructure are doing an acceptable job of handling – and protecting – data.
4. Don’t Forget SOC 3
There is another option in regards to data security auditing, and that’s SOC 3. It shares a lot of characteristics of SOC 2. Both of them incorporate TSPs, both fall under the AT 101 umbrella, and both are increasing in acceptance. While SOC 3 doesn’t have the same technical depth of SOC 2, it does include the issuance of WebTrust and SysTrust seals. These can both be used to validate your compliance with data security mandates.
5. Data Security Policies and Procedures Should Be Among Your Top Priorities
Regardless of what type of report you choose, your company will have to have the policies and procedures in place for you to achieve SOC compliance. Your information security policies have to be strong, and your procedural documentation must be impeccable. These are not only vital to achieving compliance with all industry and government regulations, but also critical to securing the trust of your customers.
This is a daunting process, as you can well imagine. It’s not just mundane, it also takes a great deal of time. You have to factor in IT domains that need documentation, as well as access rights, data backup, change control, incident response, and many, many others.
NDB offers complimentary SOC 1 and SOC 2 Policy Packets to our clients to help them navigate this taxing, complex process. These packets can help save you a great deal of time, and a great deal of money. These industry-leading packets have helped our clients save thousands of dollars.