There has been an increase in the acceptance and use of cloud-based software companies (SaaS providers) that provide outsourced services to businesses (user entities) in a variety of industries.
Since these SaaS providers may process important information or perform vital functions, they become an extension of the user entity’s control structure.
As a result, the user entity will often obtain a Systems and Organization Controls (SOC) report from their SaaS providers in order to understand the provider’s control structure and to gain comfort in knowing that either their information is being processed completely and accurately or their information is safe, available and confidentially retained.
SOC reports include a description of the provider’s control structure and an opinion by an independent accounting firm as to whether this control structure is properly designed and the controls are operating effectively.
The most popular types of SOC reports are:
- SOC 1 Reports (also referred to as SSAE 16 reports prior to May 1, 2017)
SOC 1 reports are generally required when the SaaS provider processes financial information (e.g. payroll) for a user entity. Typically, the main customer for this type of report is the user entity’s chief financial officer and its financial auditor.
- SOC 2 Reports
SOC 2 reports are generally required when a user entity is most concerned with the security, availability, processing integrity or confidentiality/privacy of information being held in the SaaS provider’s software. The main customer for this type of report is the user entity’s IT management. Due to the increase in security concerns over IT software, there has been an increase in the popularity of SOC 2 reports.
So, whether you are a business that uses cloud-based software or a business that provides these services, SOC reports may play an important role in providing comfort for outsourced services.