System & Organization Controls – Why Are SOC 2 Audits Important?

November 26, 2019

What is SOC?

System and Organization Controls (SOC) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  SOC audit reports allow financial auditors comfort that the service providers their clients engage with have a minimum set of organizational controls in place that have been audited by an accredited third party. Auditors may reference SOC reports in their audits rather than having to perform audit discovery directly on their client’s service providers.  Thus, choosing a cloud services provider who has a SOC audit can reduce your requirement in meeting audit obligations.

There are three levels of SOC audits:

SOC 1:  Controls consistent with service organizations’ own policies and objectives.

SOC 2:  Controls consistent with service organizations’ own policies and objectives and a set of principles and criteria established by the AICPA.

SOC 3: This is a summary report of a SOC 1 or SOC 2 audit, with the ability to publish publicly as proprietary information has been redacted. This is generally only used for marketing purposes, and is not commonly performed.  Generally, providers will ask for an NDA before releasing the SOC 1 or 2 report, rather than going through the expense of creating a SOC 3 report.

SOC 1 and 2 reports are available in two types:

  • A Type 1 audit focuses on control design, and simply tests controls at a specific point in time. This is, optionally, the first audit a company might go through to demonstrate they have appropriate controls in place. All subsequent audits will be of Type 2.
  • A Type 2 audit focuses on control design and operating effectiveness, which tests controls over a period of time, generally from 3 months to 1 year.

A Brief History of SOC 2

In 2018, SOC 1 reports based on the SSAE-16 standard were superseded by the SSAE-18 standard. When dealing with due diligence requests SAS70, SSAE-16, SSAE-18, SOC1, and SOC2 may often be used interchangeably as common usage in the industry does not always reflect changes in standards.

Why should I care about SOC 2?

First, SOC 2 can play an important role in regulatory compliance.   Although a SOC audit is intended to test the operational controls of third party service organizations to publicly traded companies for the purposes of financial audit, regulators increasingly expect organizations subject to HIPAA, PCI and other regulations to demonstrate that they, and the service organizations they rely on, have at least SOC 1 if not SOC 2 audits performed.

Second, even if you are not in a regulated industry, financial reporting and general concern with security are increasing the demand for SOC audits.  The SOC 2 reports, in particular,  provide additional assurance that the controls which have been developed and implemented by the service organization are not only consistent with the service organizations own policies, but they also comply with principles and criteria established by the AICPA.

Rest assured that the All Covered Cloud Services environment meets rigorous standards and has achieved the highest level audit defined by the AICPA.

Last, ease of passing your own financial audit.  Your auditors will most likely ask you to demonstrate that your cloud service provider has achieved a SOC audit.

Where does All Covered have SOC 2 Audits?

SOC 2 Type 2 audits are maintained for All Covered Cloud operations and all three domestic data centers where we house our cloud infrastructure.

People are looking for cloud solutions now more than ever.  All Covered Cloud services and the SOC 2 audit make us an enterprise-grade solution, fit for clients who need additional design assistance, migration and support services.

Contact us to learn how All Covered Cloud can help meet your business needs.

always be prepared

Kurt Toelken
Solutions Architect for Cloud Services