You are here

Why Should Tech Companies Care About SOC Reporting Standards?

Written by: Ryan J. Rodrigue, CISA, CISSP
Technology companies should be aware of the many benefits they can derive from meeting the Service Organization Control (SOC) Reporting Standards.

The American Institute of Certified Public Accountants (AICPA) developed these standards in conjunction with the Canadian Institute of Chartered Accountants (CICA) to ensure that the internal controls of service providers follow certain guidelines. There are three types of SOC reports, which include:

  • SOC 1: These cover controls for financial reporting
  • SOC 2: These pertain to information systems, and evaluate their security, availability, privacy, confidentiality and/or processing integrity. These reports rely on WebTrust and SysTrust principles
  • SOC 3: These evaluate the same criteria as a SOC 2, but the reports are intended for widespread public distribution and include an official seal of certification

Startup technology service providers may be particularly interested in knowing about SOC 2 and SOC 3 reports, since these firms often handle substantial amounts of sensitive client data.

EVOLUTION OF SOC STANDARDS
To understand how the SOC standards work, it may be helpful to briefly review their history. In 1992, the AICPA developed a widely recognized auditing standard known as Statement on Auditing Standards (SAS) No. 70, to ensure that service providers have been through an examination of their internal controls. For almost 20 years, service providers leveraged SAS No. 70 to provide information on their internal controls to their customers, using a standardized reporting format.

SSAE NO. 16
In 2011, the AICPA released Statement on Standards for Attestation Engagements (SSAE) No. 16, which included the SOC reporting framework and replaced SAS No. 70 as the authoritative guidance for reporting on service organizations. AICPA released the new framework in an effort to ensure that its standards for service organizations aligned with the new International Standards for Assurance Engagements (ISAE) No. 3402.

WHAT THAT MEANS FOR TECHNOLOGY FIRMS
While the aforementioned history can help provide technology firms with a brief primer on what the SOC Standards are, your organization is likely looking for more practical information. Meeting these guidelines is not required by any current regulations. However, service providers can obtain a competitive advantage by showing that they have the proper internal controls and safeguards in place.  If your company wants to market to clients that take a sophisticated approach to managing risk, meeting the SOC Standards is helpful.

KEY CONCERNS

  • Marketing to specific demographics – Technology firms interested in targeting certain verticals like finance or health care should know that they will encounter high expectations for their internal controls. Clients in these industries may be unwilling to consider vendors that do not meet the SOC Standards.
  • Time investment for getting a SOC report – Meeting the SOC Standards takes time. If a prospect asks in the middle of the sales cycle, the potential vendor may be out of luck.
  • Preparing resources for an audit – Companies that want to meet these standards should first ensure their internal controls are in the right place and then obtain a formal audit from an audit firm. Completing a SOC report takes about eight weeks.

5 PRINCIPLES TO CONSIDER
Technology firms getting ready for an audit should keep five principles in mind:

  • Security – Is the system protected, both logically and physically, against unauthorized access?
  • Availability – Is the system available for operation and use by your customers?
  • Processing Integrity – Are data and transactions processed within the system complete, accurate, timely, and authorized?
  • Confidentiality – Is confidential information restricted to only users with appropriate authorization?
  • Privacy – Is personal information collected, used, retained, and disclosed in accordance with your privacy notice and with Generally Accepted Privacy Principles (GAPP)?

Companies planning to undergo an audit should keep in mind that firms rarely have all of these best practices covered. Companies can select which principle or principles they want to include in their SOC report based on customer requirements, but they must meet all of the criteria specified under their selected principle(s).

If you have any questions, contact Ryan J. Rodrigue, CISA, CISSP, Senior IT Assurance Manager, at 617-428-5443 or rrodrigue@wolfandco.com