WAN Service Provider SOC Compliance
For service providers, it’s important to instill trust and confidence in their customers. Service organizations have a vested interest in helping their customers understand that adequate controls and processes are in place. The Service Organization Controls (SOC) report provides such assurance. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues and maintains these auditing standards.
An SOC report signifies that a service organization has had its control objectives and activities examined by an independent auditing firm. Because so much emphasis is placed on security and compliance with multiple sources of requirements, service providers must demonstrate that they have adequate controls in place to securely handle their customers’ data. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act make SOC audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
SOC reports take the form of three different engagements, which produce three different reports. The following are the three types of engagements and associated SOC reports:
-
SOC 1 report is the assessment of controls related to financial reporting.
-
SOC 2 report builds on SOC 1 and includes controls related to organizational oversight, risk management, vendor management, and regulatory oversight.
-
SOC 3 report is a simplified summary of the SOC 2 report and is typically produced for public consumption.
An SOC compliance audit demonstrates that a WAN service provider stands behind its security controls and has confidence in its ability to protect customer data. You should insist on doing business only with WAN service providers who can show evidence of the appropriate SOC reports.