Here’s an excerpt from my book Contract Negotiation Handbook: Software as a Service that briefly explains what audits a subscriber should include in its cloud license with a SaaS cloud service provider.
The American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 1 type 1 and type 2 reports, SOC 2 type and type 2 reports, and SOC 3 report replaced and extended the Statement on Auditing Standards 70 (SAS 70) in 2011. SAS 70 was the de facto standard for data center customers to assure themselves that their data center service provider had effective internal controls in place for managing the design, implementation, and execution of customer information. SAS 70 consisted of type I and type II audits. The type I audit was designed to assess the sufficiency of the service provider’s controls as of a particular date and the type II audit was designed to assess the effectiveness of the controls as of a certain date. A SAS 70 audit only verified that the controls the service provider had in place were followed. There was no minimum bar that a service provider had to achieve and there was no standard to hold service providers accountable. A service provider with weak controls could claim the same level of audit as a service provider with strong controls. The only way a customer could tell the difference was to read through the detailed audit report. The other problem with SAS 70 was that it was never designed to be used by service providers that offer colocation or clouding computing (such as SaaS).
SOC 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. SOC 1 reports focus solely on controls at a service provider that are likely to be relevant to an audit of a subscriber’s financial statements. SOC 2 and SOC 3 reports are performed in accordance with Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101). SOC 2 and SOC 3 reports address controls of the service provider that relate to operations and compliance.
As with SAS 70, SOC 1 reports are available as a type 1 or type 2 report. A SOC 1 type 1 report presents the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A SOC 1 type 2 report includes the type 1 criteria and audits the operating effectiveness of the controls throughout a declared period, generally between 6-months and 1-year.
SOC 2 reporting was specifically designed for cloud computing, SaaS, and IT managed services service providers. A SOC 2 report (either type 1 or type 2) is similar to a SOC 1 report in scope and content but a SOC 2 report specifically addresses any number of the five so-called “Trust Services Principles,” which are: Security (the system is protected against unauthorized access, both physical and logical); Availability (the system is available for operation and use as committed or agreed); Processing Integrity (system processing is complete, accurate, timely, and authorized); Confidentiality (information designated as confidential is protected as committed or agreed); and, Privacy (personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the service provider’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA).
SOC 3 reporting also uses the Trust Services Principles but provides only the auditor’s report on whether the system achieved the specified principle (and doesn’t contain the detail a SOC 2 report does). A key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report is generally a restricted-use report because of the detail it contains and a SOC 3 report is a general-use report because it’s not as detailed. A good use of a SOC 3 report would be for prospective subscribers of a cloud service provider as a marketing tool and a SOC 2 report would be reserved for existing subscribers who need to, for example, verify compliance to contractual obligations of information security.
Another way of looking at the differences between SOC 1, SOC 2, and SOC 3 is to consider the audience of the various reports: your external auditors who audit your company’s financial statements will be interested in the SOC 1 report, your IT staff will be interested in the SOC 2 report, and prospective subscribers of the cloud service provider may be interested in the SOC 3 report.