SOC 1 vs SOC 2 vs SOC 3 – hemantsajwan.com

A majority of the organizations today depend upon other organizations for certain services. These services could range from payroll processing, human resource management, computing or storage services to third-party hosted co-locations or data centers, or any SaaS kind of service. Organizations that provide such services to other organizations are called service organizations. In order to gain the confidence of customers, these service organizations need to provide some kind of confirmation, some kind of assurance that they deal with their customers’ data in a secure and reliable manner and that the customers can trust the service organization with their data. They could do that by explaining to various customers what all IT controls are in place, what protection they provide, how they keep the customer data confidential, what kind of monitoring is in place, how effective the overall controls are, etc. As you can imagine, this can be an extremely time-consuming and cumbersome process. That’s where a SOC report comes in. A SOC report is an attestation from an independent auditor that sufficient controls have been put in place by the service organization to safeguard the service that’s being provided. Then, once a SOC attestation has been acquired, the service organization, instead of answering questions from the customers on the various controls in place to safeguard their data, could just present the SOC report as a proof that they’ve got themselves audited by an independent auditor and the auditor has confirmed that relevant controls are in place.

SOC stands for System and Organization Control. The governing body for SOC reports is AICPA (American Institute of CPAs or Certified Professional Accountants). There are three types of SOC reports – SOC 1, SOC 2 and SOC 3.

SOC 1: A service organization needs to go for a SOC 1 report if their internal controls can impact its customer’s financial statements. For example, in case a service organization does payroll processing for its customers, it could go for SOC 1.

SOC 2: This is what is applicable in most cases. SOC 2 will be needed when the IT controls of the service organization wouldn’t impact its customers’ financial statements.

In order to obtain a SOC 2 attestation from an auditor, the management of the service organization provides a description of the controls that have been put in place and the auditing firm provides their opinion on whether the controls are good enough or not.

SOC 2 report comes in two flavors – type 1 and type 2.

SOC 2 Type 1: Type 1 report tests whether the controls that the management asserts are in place are indeed in place or not and whether they are suitably designed for concerned purposes or not. So, Type 1 report is about the suitability of the design of the controls. In other words, management says “we have got so and so controls in place to ensure customers’ data remains confidential”. The auditor performs an audit and if he/she is happy, says “yes, that’s right. I’ve checked. I agree.”

SOC 2 Type 2: Type 2 report is required because just because there are certain controls in place does not mean they are operating effectively too. An organization may have two firewalls configured in failover in order to have redundancy (to ensure availability aspect of security) but when one firewall failed last time, did the second one actually seamlessly take over without affecting availability? Similarly, an organization may have logging in place but when an unauthorized user tried to log in multiple times and failed, did it generate any alerts for anyone to further investigate? That’s where Type 2 report comes in. Type 1 report just confirms that the controls are designed effectively but Type 2 report tests those controls over a period of time (from 6 months to 12 months mostly) and tests their operating effectiveness. So, it confirms the suitability of the design of the controls (i.e. Type 1 ) AND tests their operating effectiveness over a period of time too. In that sense, it’s a little different from other audits as it tests the effectiveness of the controls over a period of time – a period that has already gone by.

In order to test the suitability of design and operating effectiveness of the controls, they can be evaluated against five aspects. These five aspects together are called TSC (Trusted Services Criteria). They are:

– security

– availability

– confidentiality

– processing integrity

– privacy

Not all five aspects are applicable in all the cases. For example, if a service organization deals only with public data, then they may not need to be tested on the confidentiality or privacy aspect.

So, that’s SOC 2.

SOC 3: Now, because of the details that a SOC 2 report contains, it’s not meant to be distributed freely. There are limitations on its distribution. You can’t publish SOC 2 report on your website or use it in marketing materials. That’s why we have SOC 3 report. A SOC 3 report is a general use report that can be distributed freely. A SOC 3 report, unlike SOC 2, does not contain any details on the description of controls, the testing performed by auditor and the results. It’s just a “seal of approval”. SOC 3 report is meant for users who , in the words of AICPA, “do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.” So, that’s SOC 3.

NOTE: Type 1 and Type 2 reports are applicable for SOC 1 report as well. The concept for both the reports remains the same as mentioned above for SOC 2. However, there’s just a single SOC 3 report.

Hope that helped you get some clarity on the three SOC reports and the differences between them.