Making the Business Case for SOC 2 Reports

The idea of the “extended enterprise” has become the norm in the corporate world. That is, your typical company now has dozens, if not hundreds, of external partners connected to the corporate network: suppliers, distributors, customers, etc. These partners may have access to the firm’s most critical financial data which, of course, can pose a tremendous security risk. In other words, rather than simply worrying about security within their own “four walls,” executives now have to worry about the efficacy of partner controls.

Secondly, we live in an increasingly mobile world. That’s good because people can access information anywhere, anytime (although that’s bad for anyone looking to take an old-fashioned vacation completely detached from work demands.) But this mobile world is also riddled with security risks, as anyone who has “stolen” a free Wifi connection can attest.

Thirdly, the “bad guys” are becoming even more sophisticated in their ability to penetrate corporate networks and carry out security attacks. And fourth, the cost of security incidents is great. Let’s take, for example, the soft and hard costs that are incurred if your customer’s credit card information is compromised. First, you have deal with the IT fix to solve the problem. You also need to alert the customers in question, which is more work for your customer service staff. And you also have to worry about the negative publicity that could arise in the press. These are the kinds of unknown costs that get ignored in even the most basic financial planning.

So, taken in totality, it’s a scary world out there, which underscores the importance of adopting  frameworks like Service Organization Controls (SOC) reports. In fact, given the aforementioned risks, and with your internal controls as the “first line of defense” against intrusion, fraud, or human error, it’s no surprise that the SOC 2 reporting standard is gaining popularity in the highly-important area of data centers and cloud providers. For example, in 2012, SOC 2 reports were about 7% of the total SOC based audits conducted for data centers, while in 2013 so far 14% of the audits have been for SOC 2, a YOY% growth of 100%. For one thing, a SOC 2 report is more applicable for cloud providers and data centers due to the lack of controls that focus on financial reporting and accounting. SOC1 or SSAE16 does not provide the assurance assessment around security or operations, while SOC 2 audits, when properly conducted in accordance with AT 101 and based on the Trust Services Principles and the Cloud Controls Matrix (CCM), meet the security needs of most cloud customers.

Most cloud providers do not align service offerings with customers’ internal controls over financial reporting, which is what SOC 1 is geared toward.  - Dave Shackleford on SOC 2 reports: The de facto cloud provider security standard

Bottom line: SOC certification will not only protect your company from the various pitfalls that can plague a modern company; it can also help you grow your business. And that’s because data centers with SOC certification are more likely to land contracts as they can show would-be clients that they take security seriously. In other words, if you were a business would you want to work with a company without SOC certification?

Reckenen provides Service Organization Control reports, SSAE16, SOC 1, SOC 2, and SOC 3 certifications:

SOC Insights

SOC/SSAE16 Insights based on Data Centers

Tags: , , , , ,

Reckenen AICPA Membersoc examination reckenen vscpa Arlington Chamber of Commerce Northern Virginia Technology Council quickbooks outsourced bookkeeping bill.com outsourced bookkeeping Spring Ahead Partner better business bureau