A System and Organization Controls (SOC) report serves as third-party verification that a company is consistently following best practices. The reports follow the Statement on Standards for Attestation (SSAE) 18 requirements set out by the American Institute of Certified Public Accountants (AICPA).
Within Managed Print and Managed IT, these reports are technically optional. However, for those in the know, asking the right questions about whether or not a service provider has gotten a SOC report, and if so, which kind, can make it easier for you to make important purchasing decisions quickly, and find a technology partner you know you can trust.
The magic question: “do you have a SOC 2 Type 2 report?” cuts right to the chase. The answer should be yes.
Curious about why? Read on…
So…What Exactly Is a System and Organization Controls (SOC) Report?
SOC is pronounced sock. A SOC report is an in-depth, unbiased overview of a service organization. Depending on the type of report, or attestation, it may be designed to find any inconsistencies in their policies and procedures, determine whether or not their information security is effective, and assess whether or not their methodologies pose any risk to a user entity (an organization that may outsource work to or partner with them).
Types of SOC Attestations
There is more than one type of SOC report, and this is where it can get a little confusing: A SOC 1 and a SOC 2 will also distinguish between a type 1 and type 2 report.
SOC 1
This type of report evaluates controls that affect an organization’s financial statements. SOC 1 reports are commonly obtained by organizations that can impact their client’s financial statements, like loan, payment, or payroll processors.
SOC 2
This type of report can attest to an organization’s security, privacy, availability, and process integrity. The report provides assurance that an organization maintains internal controls related to data security and privacy.
SOC 2 Type 1
This report shows how a company designed and maintains controls at a certain point in time.
SOC 2 Type 2
This type of report is designed to assess whether or not a company is effective at maintaining controls in practice. A type 2 report is more thorough than a type 1, and it’s conducted over a period of time to ensure controls are consistent.
SOC 3
You don’t tend to hear as much about this type of report. It’s basically the same thing as a SOC 2 Type 2 report, but without confidential information. It’s designed to help potential customers assess a service provider’s merit without compromising privacy.
What’s Included in a SOC Report?
A SOC report will include whether or not an organization fairly represents their operations, and whether or not they meet their objectives. An unqualified report is considered a success, as it indicates that the organization’s controls are both designed and operation effectively.
A qualified report means that an independent auditor found some discrepancies; in other words, one or more controls were ineffective. An adverse opinion means that an auditor found multiple inadequacies and unmet objectives, indicating a company’s controls were not reliable.
The report will also include a few more items of due diligence. For example, an auditor will state that all processes were, in fact, active while being tested. You’ll also find a description of the systems the auditor tested, what they found, and any exceptions noted.
What Is a SOC Report in Cybersecurity?
SOC reports are designed to accommodate various industries. A SOC report for cybersecurity is somewhat different from a SOC report for a healthcare organization or a medical billing company.
A SOC report for cybersecurity takes a special look at risk management and references an organization’s adherence to cybersecurity frameworks outlined by organizations like the ISO or the NIST.
Wait…Doesn’t SOC Also Mean Something Else?
Yes. Sorry about that. Not to SOC it to you, but our industry has a passion for acronyms that just can’t be explained. SOC also stands for Security Operation Center, which is largely unrelated to a SOC report.
A Security Operation Center is a hub within an organization that’s tasked with monitoring and improving security and responding to cybersecurity incidents.
If you hear someone say “Sock report,” they’re talking about what this blog is about. If someone says, “Our sock will take care of that,” they’re probably talking about this hub, unless you, by chance, work for a company that makes specialized socks.
Why Should Your MSP Have a SOC 2 Type 2?
It’s important that you have the SOC talk with any current or prospective Managed Service Providers. If they have a SOC 2 Type 2, it means that they can clearly demonstrate their abilities to safeguard your data, now and in the future.
If they don’t have this type of report, to be completely fair, they still might be able to keep your organization and its data safe. However, their procedures and tools haven’t been tested by an independent third party to see if they actually work in practice.
You can get valuable peace of mind from asking this simple, straightforward question and save quite a bit of time.
Finding an MSP With a SOC 2 Type 2
Marco has achieved a SOC 2 Type 2 report for our Managed IT and Managed Print Services, and our US-based team of over 650 certified systems engineers and technical representatives have worked very hard to provide an excellent experience along with best-in-class security.
Getting a SOC 2 Type 2 report is not as common as we believe it should be for Managed IT, and it’s even rarer for Managed Print. However, we think that every organization, regardless of size or industry, deserves to have its critical systems and sensitive data protected.
We also believe that you deserve some clarity around how a provider operates and whether or not they’re living up to their promises.
Click the link below to request more information about our security, including our SOC 2 Type 2 report.