Streamline Compliance Framework Hurdles with Service Organization Control Reports

Many service organizations are now faced with reporting on multiple regulatory and compliance frameworks. Depending on the size, complexity and industry in which the service organization operates, the number of frameworks that apply can be overwhelming. Managing and reporting on multiple frameworks can place an enormous burden not only on compliance and risk departments but the entire organization. While the number of compliance frameworks continues to increase, organizations can now document compliance with numerous frameworks using Service Organization Controls (SOC) 2 reports.

SOC 2 reports are intended to meet the needs of a broad range of users who request information and assurance about a service organization’s internal controls. Report coverage usually includes the security, availability and processing integrity of the systems used by a service organization to process information, as well as how the confidentiality and privacy of that information is maintained. Similar to SOC 1, there are two types of SOC 2 reports:

  • A Type 1 report covers management’s description of a service organization’s system and the suitability of the design of controls as of a point in time.
  • A Type 2 report covers management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls throughout a period of time. Use of these reports is generally restricted.

SOC 2 reports have become widely accepted to report on controls within service organizations that use technologyrelated services such as application hosting, systems development and payment processing. By including additional criteria relevant to the customer’s industry or specific customer requirements, the service organization can position themselves to be more responsive and efficient with compliance reporting.


Author

Ryan Boggs, Manager | IT Advisory
864.213.4034 | ryan.boggs@dhg.com

Related Knowledge Share