Will Cloud Service Providers' SOC 2 Reports Satisfy SaaS Companies' Customer Assurance Needs?

Software-as-a-Service (SaaS) companies tend to provide services that require their customers to entrust them with their sensitive data.  Therefore, customers of SaaS companies need to obtain assurance over the controls in place at SaaS companies to be certain their data is appropriately protected.  In order to obtain the appropriate level of assurance, customers require their SaaS companies to provide them with System and Organization Control (SOC) 2 reports.  

SOC 2 reports focus on a company’s internal controls as they relate to security, availability, processing integrity, confidentiality, and/or privacy of a system. Companies are not required to address all of the categories; the examinations should be limited only to the categories relevant to the services being provided. As part of its SOC 2 examination, a CPA firm will test relevant controls over a specified period of time (SOC 2 Type 2) or as of a point in time (SOC 2 Type 1) and document the results in a SOC 2 report, which can then be provided to customers.

A common misconception among SaaS companies is the belief that providing customers with their third-party cloud service provider’s (e.g., Amazon Web Services) SOC 2 report will sufficiently address their customers’ desired level of assurance. Unfortunately, this is not the case. While the cloud service provider’s SOC 2 report gives customers assurance that their data is physically secured, it will not address the SaaS company’s key controls relating to logical security, security monitoring and change management over source code.

SOC 2 reports address multiple key areas, including but not limited to: logical access, security event monitoring and change management. SaaS customers want to understand who can access their data, how their data is protected from inappropriate access, both internally and externally (i.e., encryption, network security, etc.), and how their data will remain safe when application changes are made by the SaaS company.

In conclusion, SaaS companies need their own SOC 2 reports, even when the services being provided are hosted in a third-party cloud environment. SaaS companies must provide their customers with their own SOC 2 reports, in conjunction with their third party’s SOC 2 report, to provide comprehensive assurance to customers that their data is appropriately secured, both logically and physically.

For additional information on SOC 2 examinations, visit Schneider Downs’ “Frequently Asked Questions about SOC Reports” here: https://www.schneiderdowns.com/soc-report-faq.

Please contact us if you are interested in learning about our SOC 2 examinations and how Schneider Downs can help you meet your customers’ requirements.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

National Flood Insurance Program Extension
Continued Compliance with CAISO SQMD Requirements in Non-Reporting Years
Bill S. 1564 Calls for Delay of CECL Implementation Until a Quantitative Economic Impact Study is Completed
Artificial Intelligence in Higher Education
Why Higher Education Institutions Must Comply with GDPR
Minimizing Higher Ed Risks - Utilizing Internal Audit and Data Analytics

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102