Software-as-a-Service (SaaS) companies tend to provide services that require their customers to entrust them with their sensitive data. Therefore, customers of SaaS companies need to obtain assurance over the controls in place at SaaS companies to be certain their data is appropriately protected. In order to obtain the appropriate level of assurance, customers require their SaaS companies to provide them with System and Organization Control (SOC) 2 reports.
SOC 2 reports focus on a company’s internal controls as they relate to security, availability, processing integrity, confidentiality, and/or privacy of a system. Companies are not required to address all of the categories; the examinations should be limited only to the categories relevant to the services being provided. As part of its SOC 2 examination, a CPA firm will test relevant controls over a specified period of time (SOC 2 Type 2) or as of a point in time (SOC 2 Type 1) and document the results in a SOC 2 report, which can then be provided to customers.
A common misconception among SaaS companies is the belief that providing customers with their third-party cloud service provider’s (e.g., Amazon Web Services) SOC 2 report will sufficiently address their customers’ desired level of assurance. Unfortunately, this is not the case. While the cloud service provider’s SOC 2 report gives customers assurance that their data is physically secured, it will not address the SaaS company’s key controls relating to logical security, security monitoring and change management over source code.
SOC 2 reports address multiple key areas, including but not limited to: logical access, security event monitoring and change management. SaaS customers want to understand who can access their data, how their data is protected from inappropriate access, both internally and externally (i.e., encryption, network security, etc.), and how their data will remain safe when application changes are made by the SaaS company.
In conclusion, SaaS companies need their own SOC 2 reports, even when the services being provided are hosted in a third-party cloud environment. SaaS companies must provide their customers with their own SOC 2 reports, in conjunction with their third party’s SOC 2 report, to provide comprehensive assurance to customers that their data is appropriately secured, both logically and physically.
For additional information on SOC 2 examinations, visit Schneider Downs’ “Frequently Asked Questions about SOC Reports” here: https://www.schneiderdowns.com/soc-report-faq.
Please contact us if you are interested in learning about our SOC 2 examinations and how Schneider Downs can help you meet your customers’ requirements.