Skip to content ↓ | Skip to navigation ↓

Do SOC2 Audits Even Matter? For that matter, does any audit matter?

Audits ask a trusted third party to provide an official inspection of an organization.  Exactly what’s included in the inspection and the details of how the inspection takes place  depends on the type of audit.

For IT teams that want to prove the efficacy of their security program to their stakeholders, customers, regulators, partners, management, et al,  the audit  that matters most ought to be  SOC2 .

Despite the fact that the SAS70 went end of life in June 2011 and the fact that  it was riddled with problems that made it impossible for it to evolve over time, most organizations still use it.  I won’t go into detail (or a rant) about the many reasons SAS70 audits are useless here.

So why is SOC2 the heir apparent to SAS70?

SOC2 was specifically designed to provide a means for  service organizations to quantify their adherence to the Trust Service Principles.  The Trust Service Principles (TSP) are specific controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

With  the huge adoption of managed IT services (better known as SaaS or cloud services) a SOC2 audit provides a definitive statement of security assurance. This statement is exactly the kind of information  IT teams need when they are evaluating managed service providers.

Imagine  for a moment that you are the IT Manager or CSO at a company.  You understand the benefits of moving some services to the cloud or outsourcing to SaaS providers, but what you’re worried about the level of security these organizations provide.

You have a lot of questions about the level of security at potential providers relative to the level of security your internal organization provides. The challenge is to get specific, detailed answers to those questions.

If you aren’t a Fortune 500 company, it’s tough to believe that Amazon Web Services or care about security of your data the same way you care.  Can their security programs  fill the requirements you have to your customers, both internal and external?

As the CSO, you could spend countless hours pleading with vendors to answer security questionnaires or spend tons of money to hire staff that does nothing but review controls inside of potential vendor’s infrastructures, but a shorter and cheaper path is to have this due diligence completed and on file.

And this is why we have audits. The audit is just that – an independent review of an organization’s controls.  A SOC2 audit is specifically designed for  vendors in the service organization marketplace today.

If you are a CIO of IT manager looking for service providers,  you should know that SOC2 audits are designed to focus on the Trust Service Principles and these are the same foundations of effective security you use with your internal program.

If you want to know more, the AICPA defines the specific controls that must be included for auditors to render a positive opinion.

That’s why SOC2 audits matter.


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Tripwire University
  • Great article Andrew.

    • SOCguy

      You have a lot of concerns about the stage of protection at potential suppliers comparative to the stage of protection your inner company provides. The task is to get particular, particular solutions to those concerns.

  • Eric

    About 3/4 of my customers accept our SOC 2 report as sufficient evidence of controls. However, 1/4 still require their internal spreadsheet or questionnaires to be completed. It is disappointing and frustrating to say the least. One of the many reasons that I hear from large companies is that they manage thousands of vendors and cannot read SOC reports for each of them. I, counter that I have thousands of customers and can't complete questionnaires for each of them. In the end, it boils down to contract language or how bad we want to do business together. If someone is looking at engaging with a company to do a SOC 2 report, they should set an expectation on how many customers or prospects will refuse to accept it!

  • Scott

    my company is looking implement an SOC but we don't know which one and they are leaving this up to me the IT Manager. Any suggestions? is this really something i should be doing?

  • Scott, it depends upon what your company does and the users who would benefit from reviewing your SOC reports. In short:

    SOC 1 / SSAE 16- Most applicable when the service provider performs or supports financial transaction processing (e.g., payment processing, asset management, payroll services, claims processing)

    SOC 2 or SOC 3 – applicable to a broad variety of systems where there might be a concern with the principles and criteria such as security, availability, confidentiality, processing integrity, and/or privacy. Service providers commonly include data center colocation, IT systems management, cloud-based services such as SaaS, IaaS, PaaS, email, collaboration, big data analysis, and communications services.

    The difference between SOC 2 and SOC 3 is subtle but important. If I was your customer I would want a SOC 2 as it provides more details about your environment and controls. SOC 3 is a shorter report that still includes an opinion from your service auditor over your control environment (just not the details). SOC 3 is good for general distribution and in some case can be a good marketing tool.

  • Michael

    If we are a software company that utilizes Amazon AWS for our cloud hosting, do we need a SOC2 ourselves? In my opinion we have narrow surface of exposure, multi-factor authentication into AWS to manage servers as well as the server configuration itself (port restrictions, SSL, encryption, etc.). So far we have pushed customer SOC2 requests onto Amazon, and that has sufficed. Wondering the cost/benefit of the annual audit expense – like another writer, we consistently have to complete long security forms (which they require in addition to SOC2). I know these rarely get reviewed, because we when have IT kick-off calls, security will often ask a subset of key questions where were already answered in the docs. I think security and controls are important, but it seems this documentation is more often than not CYA material.