Are you a tech startup that stores or processes data on behalf of your clients? Have you received a request for a SOC 1 or SOC 2 report but aren’t sure what to do next? SOC reporting is something that many tech startups encounter. It’s important to understand the purpose of SOC 1 and SOC 2 reports and to know which one is right for you. The two reports serve different purposes, and pursuing compliance for the wrong report type could be a waste of your time and your VC funding. Know before you go:
Say you work mostly with small law firms. Rather than run client billing and collections through their offices, they’ve decided to use your product, a software system specially tailored to professional service firms. They use your system to charge time to their clients, and based on that information, you provide outsourced invoice generation and act as a lockbox. Because you are processing the law firm’s financial information, and your processing of the data affects the firm’s financial statements, they want to know you have good internal controls over financial reporting. They might ask for a “right to audit” your company on an annual basis, a time-consuming process for both parties – especially if every one of the law firms you work with asks the same thing.
Or, you could present your law firm clients with a SOC 1 report, issued annually by a CPA firm, based on an engagement performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). With a SOC 1 report, the law firms can have reasonable assurance their financial information affected by your services are accurate – and you’ve saved time and money through efficiencies. Additionally, proactively obtaining a SOC report has proved to be a competitive advantage when obtaining new clients.
Now, what if your tech startup doesn’t process financial data for your clients, but does process or host other types of data? And your clients, hearing all the hubbub about data breaches, ask you how you are keeping their clients’ data secure? Additionally, they want to make sure you have a backup plan in place should one of your server rooms burn down, and that you’re taking reasonable steps to protect the data and prevent any leaks.
Good news – you can provide them with a SOC 2 report, also issued annually by a CPA firm, through an engagement based on the Trust Services Criteria, evaluating some or all of security, availability, processing integrity, confidentiality, and privacy at a service organization.
SOC 1 and SOC 2
In certain circumstances, it may be appropriate for companies to obtain both a SOC 1 and a SOC 2 report. Typically, this occurs when a company has multiple service offerings – one service may involve processing financial information on behalf of clients (payment processor) and another service may be more focused on the storage or transmission of sensitive client data (cloud-based data storage). In this case, getting both reports from the same CPA firm can go far to lessen the financial burden on you while ensuring you have advice from a trusted provider who knows your organization.
If your service impacts your clients’ financial reporting, you need a SOC 1 examination. If your clients want assurance that the data you store or process for them is secure, available when they need it, and maintains an appropriate level of confidentiality, a SOC 2 exam is the way to go. Organizations with overlap may need both, and performing the examinations concurrently is a time and money saver.
Whether you’re confident you have the right controls in place, or you’re just getting started on your journey, Peterson Sullivan’s IT Risk team can help you move forward with our proven approaches to SOC examinations and SOC Readiness Assessments.
For more information, please contact IT Risk Manager, Bryan Geels.