Clearing Up SOC Misconceptions
08/08/19
Like countless other regulations, the system and organization controls (SOC) certification has many misconceptions attached to it. We attempt to dispel a few.
Service organizations frequently adopt the SOC 1 reports for the wrong purposes. Some of the common errors surrounding adoption are:
- These reports are certifications — After completion of the work, organizations will publish externally to customers and stakeholders that they are SOC 1 or SSAE 16-certified organizations. Fact is, these are not certifications. The guideline specifies that reports are limited distribution reports and can be used by the service organization, user organization and user auditors only.
- These reports can be generally distributed to potential customers and used as a marketing tool — In reality, the SOC reports are issued by the service organization for a specific purpose. The audiences for the reports are clearly defined. The reports are generally limited-distribution reports and have specific restrictions on use.
- All operational areas can be included in SOC 1 reports — Actually, IAASB/AICPA guidelines specify that the SOC 1 report is applicable only to internal controls over financial reporting cases where organizations want to include other areas such as privacy or confidentiality. The key difference is that SOC 1 reports are used for internal controls over financial reporting exclusively, while SOC 2/SOC 3 reports cover areas with respect to security, confidentiality, availability and privacy.
- Application software can be made to comply with SSAE 16 requirements — In fact, Usually SOC 1 reports are assurance provided on the internal controls over financial reporting and not product evaluations.
SOC is one of many regulations your organization must comply with to appease your vendors and clients. Through our Cybersecurity Compliance Program, 2W Tech can help your business obtain and maintain compliance with SOC and the countless other regulations you must follow to remain operational. Contact 2W today for help with your compliance needs.
Read More:
Safeguard Your Data in OneDrive
The Fourth Industrial Revolution is Here