If you’re a service provider that processes customer data or hosts their systems, an independent third-party attestation report is more than a requirement of doing business; it’s a vital opportunity to:
Streamline business processes
Build trust and mitigate risk
Comply with regulatory requirements
Developed by the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC) reports (formerly SAS 70) are reports designed to help service organizations build trust and confidence in the service performed and controls related to the services. A SOC report shows your customers that you have managed their data securely and with integrity.
Only independent Certified Public Accountants can deliver SOC reports. At Anderson ZurMuehlen we are a licensed CPA firm and in good standing with the AICPA. Each type of SOC report is designed to help service organizations meet specific user needs:
SOC 1 REPORT
SOC 1 reports are specifically focused on internal controls over financial reporting, primarily used for banks and investment firms that store financial data. A SOC 1 is an audit of the internal controls (policies, procedures, and technologies) which a service provider has implemented to protect client data. These reports replaced the SAS70 reports as of June 15, 2011.
SOC 2 REPORT
SOC 2 reports are for companies that store or process data, more focused on a company’s non-financial reporting controls. SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. These reports are intended for use by stakeholders and regulators that need an in-depth understanding of the organization and its internal controls structure.
SOC 3 REPORT
These reports are designed for users who need reassurance on controls at the service organization but do not require the depth of information provided in a SOC2 report.