SOC reports are audit reports that adhere to guidelines developed by the AICPA (American Institute of Certified Public Accountants). They are commonly used to provide an independent professional review of the operations of a service provider such as a data center. Let’s consider the value of SOC reports to clients seeking colocation, data backup, and business continuity services at data centers.
First, a little background about our company’s history with respect to SOC reports. CAPS has been providing data center infrastructure services in Connecticut since 1995. In 2009 we began contracting for annual independent audits. We have engaged with an approved auditor every year since then (that’s 14 years and counting) to provide our clients with a means to independently verify our data center operations.
SOC reports have evolved over the years. The AICPA first defined an audit report requirement known as SAS1 in 1972. Two decades later the SAS 70 Statement on Auditing Standard No. 70 was released. This document replaced SAS1 and became the standard until it was replaced in 2011 by SSAE 16 (Statement on Standards for Attestation Engagements No. 16). SSAE 16 defined SOC 1, SOC 2, and SOC 3 System and Organization Controls. These standards were updated in 2017 when SSAE 18 was adopted.
Is 2 Better Than 1?
SOC 1 Type I and II, SOC 2 Type I and II, and SOC 3 Type II are the current standards defined by SSAE 18. SOC 1 is a financial audit report that is primarily concerned with evaluating the suitability of the design and operating effectiveness of the controls a service provider has in place. It is often used to fulfill the annual independent audit requirements imposed on financial organizations and publicly held companies by the Sarbanes-Oxley Act (SOX) of 2002. A SOC 1 Type II report covering an audit over 6 or more months is typically the version of the report used for data centers.
SOC 2 consists of 5 Trust Services categories. The first category deals with security and is mandatory. The four remaining categories relate to Availability, Processing Integrity, Confidentiality, and Privacy and are optional. That is, each service provider may choose which, if any, of these categories to be included in their SOC 2 audit. A SOC 2 Type II report covering an audit over 6 or more months is typically the report used for data centers. SOC 2 reports are growing in popularity because of their focus on security. However, they are not considered adequate to fulfill the SOX requirements of public companies and other financial institutions. That remains the domain of SOC 1.
SOC 3 is a modified version of SOC 2 that excludes proprietary information and thus can be released without a Non-Disclosure Agreement (NDA). SOC 1 and SOC 2 reports include proprietary information about the audited company and are not to be released without an NDA.
A Non-Issue for Many
Though it takes time and money to prepare a SOC report each year, many of our clients are not interested in these independent audits. If they are not required by regulation to receive an independent audit of their data center services provider, they may not request a SOC report.
CAPS and Blue Hill Data Services have always been committed to providing high quality IT infrastructure services to our clients. The SOC reports we contract for each year offer a professional, independent evaluation of our data center operations. We are happy to share these SOC reports to clients and prospective clients who request them.
For many organizations, SOCs are not required. Just as there are those who wear dress shoes without socks (especially here in Connecticut), SOCs are often a valuable addition.