OUR THOUGHTS ON:

Will Cloud Service Providers' SOC 2 Reports Satisfy SaaS Companies' Customer Assurance Needs?

Risk Advisory/Internal Audit|SSAE 18/SOC

By Greg Poynton

Software-as-a-Service (SaaS) companies tend to provide services that require their customers to entrust them with their sensitive data.  Therefore, customers of SaaS companies need to obtain assurance over the controls in place at SaaS companies to be certain their data is appropriately protected.  In order to obtain the appropriate level of assurance, customers require their SaaS companies to provide them with System and Organization Control (SOC) 2 reports.  

SOC 2 reports focus on a company’s internal controls as they relate to security, availability, processing integrity, confidentiality, and/or privacy of a system. Companies are not required to address all of the categories; the examinations should be limited only to the categories relevant to the services being provided. As part of its SOC 2 examination, a CPA firm will test relevant controls over a specified period of time (SOC 2 Type 2) or as of a point in time (SOC 2 Type 1) and document the results in a SOC 2 report, which can then be provided to customers.

A common misconception among SaaS companies is the belief that providing customers with their third-party cloud service provider’s (e.g., Amazon Web Services) SOC 2 report will sufficiently address their customers’ desired level of assurance. Unfortunately, this is not the case. While the cloud service provider’s SOC 2 report gives customers assurance that their data is physically secured, it will not address the SaaS company’s key controls relating to logical security, security monitoring and change management over source code.

SOC 2 reports address multiple key areas, including but not limited to: logical access, security event monitoring and change management. SaaS customers want to understand who can access their data, how their data is protected from inappropriate access, both internally and externally (i.e., encryption, network security, etc.), and how their data will remain safe when application changes are made by the SaaS company.

In conclusion, SaaS companies need their own SOC 2 reports, even when the services being provided are hosted in a third-party cloud environment. SaaS companies must provide their customers with their own SOC 2 reports, in conjunction with their third party’s SOC 2 report, to provide comprehensive assurance to customers that their data is appropriately secured, both logically and physically.

For additional information on SOC 2 examinations, visit Schneider Downs’ “Frequently Asked Questions about SOC Reports” here: https://www.schneiderdowns.com/soc-report-faq.

Please contact us if you are interested in learning about our SOC 2 examinations and how Schneider Downs can help you meet your customers’ requirements.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments