How did SOC 2 Reports Come to Be?
In order to understand the purpose of a Service Organization Control (SOC) 2 Report, it’s important to understand the background and history of how the SOC 2 came in to existence as a way for service organizations to manage the risks associated with outsourcing services.
The original standard was known as SAS 70 and was a way service organizations could demonstrate the effectiveness of internal controls at their organization. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting. Although not the intended purpose, organizations began using the SAS 70 report to prove that a vendor was secure and safe to work with. When the SSAE 16 or SOC 1 report replaced SAS 70, the SOC 2 was introduced as a report that addresses security.
The SOC 2 was welcomed with open arms and intended to give a wide range of organizations with a need for information security assurance services related to internal controls that affect the security, availability, processing integrity, confidentiality, and/or privacy of a system. The SOC 2 is based on these predefined criteria known as the Trust Services Principles. The AICPA has defined these principles to ensure the following:
- Security – The system is protected against unauthorized access.
- Availability – The system is available for operation and use as committed or agreed
- Processing integrity – System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in accordance with the privacy notice commitments.
Understanding the purpose behind the SOC 2 can help bring added benefits to your organization. A SOC 2 report can give you a competitive advantage by helping you to prioritize your risks in order to ensure that you’re delivering high quality services to your clients. KirkpatrickPrice encourages companies who are interested in demonstrating their commitment to privacy and security to consider engaging a third-party auditor to perform a SOC 2 audit.
Joseph Kirkpatrick on The History of SOC 2 Reports
In order to understand the SOC 2 audit report, I think it’s important to understand the background and the history of Service Organization Control Reports.
The original audit was referred to as a SAS 70 and it addressed internal controls which can definitely include security, but over the years’ people started treating the SAS 70 as a report in order to prove that a vendor was secure, when that was not the original intention of that service organization control report. And so when the SAS 70 was replaced with the SSAE 16 standard, the AICPA renamed that the SOC 1 and they introduced the SOC 2 audit report in 2009 by issuing the Trust Services Principles that address security, availability, confidentiality, process integrity and privacy.
So finally we had a standard, we had some principles to rest upon that allowed us to address security and that’s what the SOC 2 report is all about. You are able to choose which principles to include into that report and security is always the core principle that has to be included in a non-privacy principle SOC 2 audit report.
Sarah Morris is the Managing Editor at KirkpatrickPrice. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.
Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice, holds the CISSP, CISA, CGEIT, and CRISC certifications as a certified specialist in data security, IT governance, and regulatory compliance. He has delivered auditing and security assessment services for more than 15 years.