SOC 1 & SOC 2
The general and most common term for reporting on third-party risks by service organizations to user organizations is Systems and Organization Control Report or SOC-report. This term is originated by the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.
These were formerly named Service Organization Control reports. SOC is a suite of reports that originated in the US. ISAE 3402 aligns with the US Statement on Standards for Attestation Engagements (SSAE) 18 US standard. An ISAE 3402 report provides assurance on a service organization’s description of its system and the suitability of the design and operating effectiveness of it controls through a Service Auditor’s Report.
ISAE 3402 | SOC 1
In an ISAE 3402 | SOC 1 report, organizations define their own control objectives and controls and align these with customers’ needs. The scope of an ISAE 3402 is typically all operational and financial controls that have an impact on the financial statements, and the IT General Controls (e.g., security management, physical and logical security, change management, incident management, and systems monitoring). In other words, if an organization is hosting financial information that could affect your client’s financial reporting, then an ISAE 3402 | SOC 1 audit report makes the most sense for an organization to pursue, and will likely be requested. The ITGC’s, operational controls, and financial controls are in the scope of the ISAE 3402 | SOC 1 audit.
In a SOC 1 audit control objectives, which are used to accurately represent internal control over financial reporting (ICOFR) are required to be included in the organization are subject to SEC filings in the US.
Since the most important suppliers to financial institutions where IT service providers and at a later stage Cloud Service providers and datacenter/ housing providers the SAS70, SSAE 18 SOC 1, and ISAE 3402 gained terrain in the IT industry becoming the most comprehensive and transparent standard for effective IT outsourcing and risk excellence. Organizations requiring an ISAE 3402 | SOC 1 report often consider ISAE 3000 | SOC 2 reports.
ISAE 3000 | SOC 2
In ISAE 3000 | SOC 2 reports the Trust Services Principles and Criteria (TSP’s) are applied. The TSP’s are a set of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance over security, availability, confidentiality, processing integrity, and privacy. An organization can choose the different aspects that are relevant to their customer’s needs. An ISAE 3000 | SOC 2 report can cover one or more principles. If your organization is hosting or processing other types of information for your clients that does not impact their financial reporting, then an ISAE 3000 | SOC 2 is more relevant. In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures.
SOC 1 OR SOC 2?
Organizations that process, host or manage systems or information that impact financial reporting should always provide an ISAE 3402 | SOC 1. ISAE 3000 | SOC 2 is applicable if all systems and processes are unrelated to financial reporting. Datacenter-, IaaS, Paas providers typically report hybrid, with both an ISAE 3402 | SOC 1 for finance-related processes and systems and ISAE 3000 | SOC 2 for unrelated processes and systems. The content of both reports will be identical