The first question many service organizations have when they begin the process of researching what a System and Organization Controls (SOC) report is: which SOC report(s) do they need? The American Institute of Certified Public Accountants (AICPA) has designed three SOC reports to accommodate the needs of service organizations and it is important to understand the purpose and intended use of each report:
- SOC 1 reports are performed under the SSAE No. 16 standard and are designed to provide user entities and their financial statement auditors, also referred to as user auditors, information on how the service organization’s controls impact the internal controls over financial reporting (ICFR) of their user entity customers. SOC 1 reports are often used by the user auditors as part of compliance with the Sarbanes-Oxley Act of 2002 (SOX).
- SOC 2 reports are performed under the existing AT Section 101 standard and are intended to provide the service organization’s management, user entities, and other specified parties, with information about controls that may affect the security, availability, processing integrity, confidentiality, or privacy of the service organization’s systems and services.
- SOC 3 reports are performed under the same standard as SOC 2 reports and have a similar purpose; however, SOC 3 reports are general use reports that can be freely distributed to anyone, and do not contain the same level of detail in the description of the service organization’s systems or the tests applied to controls.
Service organizations may undergo one or more of the above examinations by engaging with a licensed CPA, often referred to as a service auditor. However, due to the differences in the SOC 1 report compared to the other two, it is not possible for organizations to substitute a SOC 1 report for a SOC 2 or SOC 3 report. Because of this, service organizations should consider obtaining multiple SOC reports to accommodate the needs of their customers.
Data center providers fall into a unique category of services that requires additional consideration when identifying which report(s) are best suited for their customers. The first and most obvious step is for data center providers to reach out to their customers to understand their user auditor requirements. As part of this process, data center providers should identify whether the services that they provide protect the financial systems of their customers, or otherwise have an impact on their customer’s internal controls over financial reporting. Typically, you will find that the majority of data center providers obtain a SOC 1 report due to their most common types of services, colocation and managed services, having an expressed effect on their customer’s internal control over financial reporting processes.
This does not mean that a data center cannot also obtain a SOC 2 or SOC 3 report. In the past few years it has become increasingly more popular for data center providers to obtain a SOC 2 report in addition to the SOC 1 report. This is primarily due to the increasing popularity of SOC 2 reports across all industries because of its more detailed framework of criteria relating to security, availability, processing integrity, confidentiality, and privacy. In addition, stakeholders of the organization, including management, often prefer the additional compliance requirements provided by the SOC 2 report.
Obtaining both a SOC 1 and SOC 2 report does not come without its challenges. The more detailed requirements of the SOC 2 report can identify issues of noncompliance with service organizations. Additionally, SOC 2 examinations often require additional resources to complete. However, choosing an experienced service auditor to perform multiple examinations concurrently can provide efficiencies that will reduce the amount of cost and effort to complete.
Ultimately, it is not required for data centers to obtain any of the SOC reports, absent an expressed need from the organizations stakeholders. However, in a world with increasing priority being placed on data security, obtaining SOC reports can set a data center provider apart from their competition. Being able to provide customers with the assurance granted by the SOC 1 and SOC 2 reports may be the difference between maintaining a happy customer and losing them completely.