SOC1 & SOC2
The general and most common term for reporting on third-party risks by service organizations to user organizations is Systems and Organization Control Report or SOC-report. This term is originated by the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.
These were formerly named Service Organization Control reports. SOC is a suite of reports that originated in the US. ISAE 3402 aligns with the US Statement on Standards for Attestation Engagements (SSAE) 18 US standard. An ISAE 3402 report provides assurance on a service organization’s description of its system and the suitability of the design and operating effectiveness of its controls through a Service Auditor’s Report.
ISAE 3402 SOC1
In an ISAE 3402 SOC1 report, organizations define their own control objectives and controls and align these with customer’s needs. The scope of an ISAE 3402 is typically all operational and financial controls that have an impact on the financial statements, and the IT General Controls (e.g., security management, physical and logical security, change management, incident management and systems monitoring and. In other words, if an organization is hosting financial information that could affect your client’s financial reporting, then a ISAE 3402 SOC1 audit report makes the most sense for an organization to pursue, and will likely be requested. The ITGC’s, operational controls, and financial controls are in the scope of the ISAE 3402 SOC1 audit.
In a SOC 1 audit control objectives, which are used to accurately represent internal control over financial reporting (ICOFR) are required to be included if the organization is subject to SEC filings in the US.
Since the most import suppliers to financial institutions where IT service providers and at a later stage Cloud Service providers and datacenter/ housing providers the SAS70, SSAE 18 SOC 1 and ISAE 3402 gained terrain in the IT industry becoming the most comprehensive and transparent standard for effective IT outsourcing and risk excellence. Organizations requiring an ISAE 3402 SOC1 report often consider ISAE 3000 SOC2 reports.
ISAE 3000 SOC2
In ISAE 3000 SOC2 reports the Trust Services Principles and Criteria (TSP’s) are applied. The TSP’s are a set of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance over security, availability, confidentiality, processing integrity, and privacy. An organization can choose the different aspects that are relevant to their customer’s needs. A ISAE 3000 SOC2 report can cover one or more principles. If your organization is hosting or processing other types of information for your clients that does not impact their financial reporting, then a ISAE 3000 SOC 2 is more relevant. In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures.
SOC1 OR SOC2?
Organizations that process, host or manage systems or information that impact financial reporting should always provide an ISAE 3402 SOC1. ISAE SOC2 is applicable if all systems and processes are unrelated to financial reporting. Datacenter-, IaaS, Paas providers typically report hybrid, with both an ISAE 3402 SOC1 for finance-related processes and systems and ISAE 3000 SOC2 for unrelated processes and systems. The content of both reports will be identical.