SOC Reports Explained
January 8, 2014
Rest assured, you make perfectly good nonsense. I understand you one-hundred-percent not at all.
~Richelle E. Goodrich
SAS 70, SSAE16, SOC1/SOC2/SOC 3, Type I/Type II/Type III… Let the confusion commence! Whoever came up with these naming conventions certainly didn’t have a degree in marketing. While the names given to these reports may seem dull and uninteresting, the SOC report is actually one of the most important resources at the disposal of both Long View and our customers. Having been responsible for successfully maintaining this report for 6 consecutive years, I can attest to the vast levels of confusion and misunderstanding surrounding these reports. As such, the intention of this post is to bring some clarity to this often misunderstood and generally unappreciated business tool.
What is a SOC report and why is it important?
Service Organization Control (SOC) reports are used by service providers to audit and validate relevant business and operational controls which support the services subscribed to by their customers. At Long View this report identifies and validates a wide array of controls – everything from the Managed IT Services and OnDemand Cloud infrastructure/service models to corporate governance and HR controls. SOC reports will often audit these controls over a defined time span. At Long View we pursue a full year audit, the maximum possible.
One of the primary purposes of the SOC report is to support and confirm the audit and compliance control requirements of a business as they relate to the services they outsource to a service provider (i.e. Sarbanes Oxley).
SOC reports are often used to:
• Help businesses understand the operational model of the service provider
• Ensure it aligns to their unique needs/requirements
• Provide insight as to the provider’s level of capability and maturity
SOC vs. SAS 70 Reports
As of June 2011, the SAS 70 audit standard has been discontinued. In its place is a new standard in the form of SOC reports which are explained in detail below.
SSAE16/SOC1 vs. SOC2 vs. SOC3
SOC reports come in three different variations (SSAE16/SOC1, SOC2 or SOC3) and each has its own unique purpose in supporting the needs of a providers customers.
- SSAE16/SOC1– Of the three reports this is the only option which is accepted internationally. The SOC1 report is used when scope controls could have a potential impact to the financial statements of customers using the outsourced services. In addition to supporting financial controls, SOC1 controls often contain a listing of controls supporting service operations similar to a SOC2 report (albeit in a different format) thus negating the need to provide two separate reports. Long View currently maintains an SSAE16/SOC1 Type II report.
- SOC2– Intended to describe, assess and validate controls that affect the security, availability, processing integrity, confidentiality and privacy of customers subscribed to the services of an external provider. A common example is a co-location facility providing security controls for hosting services.
- SOC3– Similar to a SOC2 except only a certification is provided rather than a full attestation report. An example of where this might be useful is for an online retailer that wants to provide assurance of privacy and security (via a logo on the website) but does not have customers who require a full audit report.
Type I vs. Type II Reports
SOC reports can be documented as either a Type I or Type II.
- Type I reports describe the providers operating controls and the suitability of their design.
- Type II reports contain all of the information included in a Type I but also audit the effectiveness of the controls over a defined period (typically 3 months to a year). This is the most common type of SOC report.
How can I request a copy of Long View’s SSAE16/SOC1 Type II report?
If you are an existing customer and would like to request a copy of Long View’s SSAE16/SOC1 Type II report, please contact your Long View account representative. If you are new to Long View please email your request to firstname.lastname@example.org.