The process and report created from an assessment of a company's internal controls is known as an SSAE18. SSAE stands for Statement on Standards of Attestation Engagements and is overseen by the American Institute of Certified Public Accountants (AICPA).
Under SSAE18 there are three different Service Organization Controls (SOCs) reports - SOC 1, SOC 2 and SOC 3.
SOC 1, SOC 2 & SOC 3
SOC 1
SOC 1 engagements are based on the SSAE 18 standard and report on effectiveness of internal controls that may be relevant to clients' internal control over financial reporting.
SOC 2
SOC 2 evaluates internal controls, policies and procedures related to the security of a system. This report was designed to determine if an organization is compliant with the Trust Services Principles - security, availability, processing integrity, confidentiality and privacy. These principles are unrelated to ICFR.
SOC 3
SOC 3 is also based on the Trust Services Principles but the major difference is restricted use. Unless SOC 2 & 1, the SOC 3 report can be freely distributed and can provide interested parties information on whether an entity maintained effective controls over its systems. This report does not provide a description of the organization's system and can be used for RFPs and marketing.
SOC Compliance
For security-minded companies, SOC Compliance should be a minimal requirement. Maintaining SOC Compliance demonstrates that you can securely manage data and protect the interests of your business, partners and clients. The four areas critical to maintaining compliance include establishing processes and controls for monitoring system activity, real-time alerts for unauthorized activity, audit trails and ability to remediate and prevent future threats.
Find out more about how PreFence Compliance as a Service can help.
