What’s SOC 2 (and SOC 3)?
Firms that use outsourced services are aware that outsourcing can affect their control over their financial reporting. In the past they used an audited AICPA SAS 70 report on their outsourced vendors to gain assurance over their financial control. It was designed for purely financial matters.
But there are other issues for users of outsourced services, and for some time they were squeezed into the SAS70 framework.
Because of this, the AICPA and CICA discontinued the SAS70 report in 2011. They then created separate audit reports that address effects on financial reporting (SOC 1), and reports that address users’ concerns over security, availability, processing integrity, confidentiality and privacy (SOC 2 and SOC 3).
Monitoring Vendor Relationships, Reassuring Customers
Users of outsourced services need better processes for monitoring the quality of those services. They need to reassure themselves that their outsourced providers are up to scratch. SOC Reports provide a basis for effectively monitoring vendor performance. In this way there are a key management tool for outsourced provider managers and user organization managers. The detailed SOC 2 Report performs this function.
They also provide an effective way of reassuring end customers that there is sufficient control and reliability in the outsourced systems that underlie a product offering. In that way they are an effective marketing tool. The general-use SOC 3 report performs this function.
The current structure of SOC 2 and the Principles and Criteria that apply are set in the AICPA Trust Services Principles released in 2009. For more information, go to SOC 2 Trust Services Principles.