Service Organization Control Series Part II: Effective Use of SOC 2

Service Organization Control 2

Service Organization Controls (SOC) 2 reports intend to cater for the needs of the management of a service organization, user entities, and other parties for information regarding the IT controls of the service organization. These reports particularly address issues and other related concerns touching on Security, Availability, Processing Integrity, Confidentiality, or Privacy.

For user entities, Service Organization Control 2 reports play an important role in managing their vendor programs. In addition, through Service Organization Control 2 reports, user entities will have comprehensive information about the design and operating efficiency of the controls of a service organization.

With Service Organization Control 2, service organizations can now provide a different report that is focused on internal controls that are completely unrelated to financial reporting. As a result, clients can better comprehend a service organization’s internal controls relevant to the aforementioned five key domains. However, as much as distribution of information is concerned, Service Organization Control 2 reports are restricted to those knowledgeable with the type of service that the service organization provides, the manner in which the system of the service organization interacts with user entities, the internal control and its restraints, or the effect of carved out subservice organizations.

Cloud Service Organizations and Service Organization Control 2

The Software-as-a-Service (SaaS) or Cloud Service Organizations that offer services for user entities and also provide virtualized computing environments use Service Organization Control 2 reports when they want to give guarantee and ascertain that their clients’ information will be continually confidential, and that access will not be denied when needed. User entities are given Service Organization Control 2 reports that cover any, if not all, of the five domains. In addition, descriptions of the system of a service organization, as well as the controls that will aid in meeting those objectives are addressed in the Service Organization Control 2 reports. Moreover, if user entities wish to carry out an assessment of the efficacy of their controls, they can utilize Type II of Service Organization Control 2 reports.

Service Organizations that Process Medical Claims and Service Organization Control 2

Service Organization Control 2 reports are also used by medical claims processing service organizations. This happens when they want to assure the health insurers that their controls over processing of claims will secure and safeguard the information stated on those claims which, by the way, is contingent on privacy laws.

Bank Management and Vendor Management on Service Organization Control 2

Bank management can utilize Service Organization Control 2 reports as part of their due diligence. Additionally, Service Organization Control 2 reports are applicable on vendor management processes with regards to choosing and assessing third-party vendors and various outsourcing deals and agreements.

Through Service Organization Control 2 reports, users can better manage their vendors. Service Organization Control 2 reports provide assurance that all security protocols are being met, that privacy of information processed by a vendor system is being observed, and that all precautions are being taken to ensure that the user organization’s clients and employees are protected.

Other Systems and Service Organization Control 2

Despite of non-association to financial reporting, Service Organization Control 2 reports can be utilized as an auxiliary in supplying additional information on systems that are related to financial reporting. Moreover, Service Organization Control 2 reporting is applicable to data center-hosting, call center operations, marketing services, and document management.

Using Service Organization Control 2 Reports

If the report is to be utilized by the service organization’s customers or shareholders to increase the confidence and to establish trust in the system of a service organization, a Service Organization Control 2 report is the ideal fit.

To effectively use a Service Organization Control 2 report, users must first identify what their needs are. Let’s say a user has security concerns, they can request for a Security Organization Control 2 Type II security report. Following the guidelines laid out by the AICPA, this report will encompass the following:  IT security policy, security awareness and communication, risk assessment, logical and physical access, security monitoring, user authentication, incident management, asset classification and management systems development and maintenance, personnel security, configuration management, change management and monitoring, and compliance. Also included is the auditor’s opinion on the effectiveness of the service organization’s operating systems. The user will then have access to detailed Service Organization Control data that will show how the organization’s systems were put in place and whether or not these systems function effectively.