Do SOC2 Audits Even Matter? For that matter, does any audit matter?
Audits ask a trusted third party to provide an official inspection of an organization. Exactly what’s included in the inspection and the details of how the inspection takes place depends on the type of audit.
For IT teams that want to prove the efficacy of their security program to their stakeholders, customers, regulators, partners, management, et al, the audit that matters most ought to be SOC2 .
Despite the fact that the SAS70 went end of life in June 2011 and the fact that it was riddled with problems that made it impossible for it to evolve over time, most organizations still use it. I won’t go into detail (or a rant) about the many reasons SAS70 audits are useless here.
So why is SOC2 the heir apparent to SAS70?
SOC2 was specifically designed to provide a means for service organizations to quantify their adherence to the Trust Service Principles. The Trust Service Principles (TSP) are specific controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
With the huge adoption of managed IT services (better known as SaaS or cloud services) a SOC2 audit provides a definitive statement of security assurance. This statement is exactly the kind of information IT teams need when they are evaluating managed service providers.
Imagine for a moment that you are the IT Manager or CSO at a company. You understand the benefits of moving some services to the cloud or outsourcing to SaaS providers, but what you’re worried about the level of security these organizations provide.
You have a lot of questions about the level of security at potential providers relative to the level of security your internal organization provides. The challenge is to get specific, detailed answers to those questions.
If you aren’t a Fortune 500 company, it’s tough to believe that Amazon Web Services or Salesforce.com care about security of your data the same way you care. Can their security programs fill the requirements you have to your customers, both internal and external?
As the CSO, you could spend countless hours pleading with vendors to answer security questionnaires or spend tons of money to hire staff that does nothing but review controls inside of potential vendor’s infrastructures, but a shorter and cheaper path is to have this due diligence completed and on file.
And this is why we have audits. The audit is just that – an independent review of an organization’s controls. A SOC2 audit is specifically designed for vendors in the service organization marketplace today.
If you are a CIO of IT manager looking for service providers, you should know that SOC2 audits are designed to focus on the Trust Service Principles and these are the same foundations of effective security you use with your internal program.
If you want to know more, the AICPA defines the specific controls that must be included for auditors to render a positive opinion.
That’s why SOC2 audits matter.
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock