If your enterprise is a service provider that handles customer data, it should have a System and Organization Controls for Service Organizations 2 (SOC 2) report attesting to its SOC 2 compliance. If you outsource work, your sub-contractors should be SOC 2 compliant, as well.

Developed by the American Institute of Certified Public Accountants (AICPA) in response to growing concerns over data privacy and security, SOC 2 applies to all service providers that process and store customer data. Auditors use AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which emphasizes data security, as a framework.

SOC 2 compliance demonstrates your organization’s commitment to protecting the privacy and security of customer and client information—increasingly important in our connected digital age.

However, SOC 2 is not mandated by government or industry regulators: Compliance is voluntary. 

Still, most service providers choose to comply. Why? 

Six Reasons for SOC 2 Compliance

  1. Customer demand: Protecting customer data from breach and theft is top-of-mind for your clients, so without a SOC 2 attestation, you could lose business.
  2. Cost-effectiveness: Think audit costs are high? In 2018, a single data breach cost, on average, $3.86 million, according to a study by Ponemon and the IBM Institute. That figure rises every year.
  3. Competitive advantage: Having a SOC 2 report in hand will give you the edge over competitors who cannot show compliance.
  4. Peace of mind: Passing a SOC 2 audit provides assurance that your systems and networks are secure.
  5. Regulatory compliance: Because SOC 2’s requirements dovetail with other frameworks including HIPAA and PCI DSS, attaining certification can speed your organization’s overall compliance efforts.
  6. Value: A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal governance, regulatory oversight, and more.

Which SOC Report Do You Need?

SOC 2 reports discuss five Trust Services Categories, also known as Trust Services Criteria (formerly Trust Services Principles).

  •  The security, availability, and processing integrity of the systems the service organization uses to process users’ data, and
  • The confidentiality and privacy of the information processed by these systems.

SOC 2 and SOC 3 both use these categories. SOC 1, however, differs completely. 

  • SOC 1 governs financial reporting. A SOC 1 report will answer these kinds of questions: Are internal service organization controls on financial reporting well designed? Do the organization’s controls work, helping it to meet financial goals?
  • A SOC 2 report discusses controls that affect the organization’s information security, availability, processing integrity, data confidentiality, and privacy.

SOC 2 and SOC 3 reports cover the same subject matter, but the difference lies in their intended audience.

  • SOC 2 reports are written for an informed, knowledgeable audience whose members may have a vested interest in the audit findings.
  • SOC 3 reports address a more general audience and tend to be shorter and less detailed than SOC 2 audits. They are often used to demonstrate SOC 2/3 compliance for prospective clients and for marketing.

SOC 2 reports are applicable to these industries, among others

  • Cloud computing
  • IT security management
  • Software as a Service (SaaS) vendors
  • Financial processing
  • Accounting and auditing
  • Customer support
  • Sales support
  • Medical claims processing
  • Legal
  • Pharmaceutical
  • Insurance claims processing
  • Human resources
  • Data analysis
  • Document and records management
  • Workflow management
  • Customer relationship management (CRM)
  • Technology consulting

Which Type of Report Do I Need?

To complicate the question even more, SOC 2 reports come in two types, with each covering a different period of time.

  • Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit. Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits.
  • Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.