Will Cloud Service Providers' SOC 2 Reports Satisfy SaaS Companies' Customer Assurance Needs?

Risk Advisory/Internal Audit, SOC
by Schneider Downs Professional
share with a colleague Download PDF

Software-as-a-Service (SaaS) companies tend to provide services that require their customers to entrust them with their sensitive data.  Therefore, customers of SaaS companies need to obtain assurance over the controls in place at SaaS companies to be certain their data is appropriately protected.  In order to obtain the appropriate level of assurance, customers require their SaaS companies to provide them with System and Organization Control (SOC) 2 reports.  

SOC 2 reports focus on a company’s internal controls as they relate to security, availability, processing integrity, confidentiality, and/or privacy of a system. Companies are not required to address all of the categories; the examinations should be limited only to the categories relevant to the services being provided. As part of its SOC 2 examination, a CPA firm will test relevant controls over a specified period of time (SOC 2 Type 2) or as of a point in time (SOC 2 Type 1) and document the results in a SOC 2 report, which can then be provided to customers.

A common misconception among SaaS companies is the belief that providing customers with their third-party cloud service provider’s (e.g., Amazon Web Services) SOC 2 report will sufficiently address their customers’ desired level of assurance. Unfortunately, this is not the case. While the cloud service provider’s SOC 2 report gives customers assurance that their data is physically secured, it will not address the SaaS company’s key controls relating to logical security, security monitoring and change management over source code.

SOC 2 reports address multiple key areas, including but not limited to: logical access, security event monitoring and change management. SaaS customers want to understand who can access their data, how their data is protected from inappropriate access, both internally and externally (i.e., encryption, network security, etc.), and how their data will remain safe when application changes are made by the SaaS company.

In conclusion, SaaS companies need their own SOC 2 reports, even when the services being provided are hosted in a third-party cloud environment. SaaS companies must provide their customers with their own SOC 2 reports, in conjunction with their third party’s SOC 2 report, to provide comprehensive assurance to customers that their data is appropriately secured, both logically and physically.

For additional information on SOC 2 examinations, visit Schneider Downs’ “Frequently Asked Questions about SOC Reports” here: https://www.schneiderdowns.com/soc-report-faq.

Please contact us if you are interested in learning about our SOC 2 examinations and how Schneider Downs can help you meet your customers’ requirements.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC BY Anna Young
Subservice Organizations: Their Role and Impact on Your SOC Report
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
most popular
Master Your Credit Card Strategy: A Guide to Maximizing Rewards and Boosting Your Credit Score
Wealth Management
By Jessica Ellicott, Courtney Moriarty | 4.16.2024

Uncover the frequently asked questions surrounding managing your credit cards more effectively and harnessing their potential benefits. ...

read more
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept