The last time I wrote about SOC 2 reporting, it was still very new. I was still learning about these standards, and as a result, may not have been as exacting as you might have wanted. I also may have been a little hard on SSAE reports. And despite my description, there is no SSAE SOC 2 report; SSAE and SOC 2 are different types of audits.
So now, I thought it might be worth a refresh of some key SSAE, SOC 2 and SOC 3 points, thoughts and opinions. So then:
- SSAE 16 or SOC 1 is basically a replacement for what was known as SAS70. With this report, an auditor will evaluate controls as defined by the service provider and offer an opinion. Depending on how rigorously the service provider tests, the report may be extremely valuable or not that helpful to the service provider’s customers.
- SOC 2 and SOC 3 are based around the American Institute of Certified Public Accountants’ Trust Service Principles (TSP) of security, availability, processing integrity, confidentiality and privacy. Service providers being audited under SOC 2 and 3 are evaluated against both their own controls and some predefined TSP controls. Because of these standards, these reports are, in my opinion and the opinion of others, more likely to be useful. Note however, that a service provider is not required to test on all 5 TSPs, so there may be differences even among SOC 2 or 3 reports from different providers.
- A SOC 2 report contains the auditor’s report and details around the tests performed, the results and an opinion on the controls. A SOC 3 report only contains the auditor’s report on whether the controls meet the service criteria established under TSP. Which one is better depends on what level of detail a customer needs.
- The testing for each type of audit can be at a certain time (Type I), or over a specified period (Type II).
- No one gets certified with one of these audits. A service provider simply “successfully completes” the audit. To find out how successfully, you need to read the service providers’ reports.
Hopefully, the stuff above is useful and will help you make some informed choices. If you want some additional opinion, I am partial to SOC 2 Type 2 reports. It’s what we do here at Internap. These reports provide info about operational controls and provide auditor insight into how well those controls work. This seems to be what most of our customer’s auditors want.
But beyond that, these reports are great tools for us to benchmark our own performance. For Internap, it’s not just a marketing gimmick; it’s serious business. And that’s probably as important as any other reason when you trust your business with us.