SOC for Service Organizations

Brad Hanks


Unlike our competitors, CloudApp is SOC 2 Type 2 compliant. To help you get up to speed with what that means and why it’s important, we published a list of SOC 2 compliance terms along with popular SOC 2 Compliance FAQs.  

Contact our sales team for more information about our SOC2 compliance and other enterprise-level account features and support.  

What is a System and Organization Controls (SOC) Audit?

There are three types of SOC audits. They are each designed to help an organization comply with standards established by the American Institute of Certified Public Accountants (AICPA).

SOC 1: Internal Control over Financial Reporting (ICFR)

Many corporations use SOC 1 compliant auditors to perform year-end audits of their financial data. In addition, SOC 1 auditors may perform short-term compliance audits called attestation engagements (methods to determine whether an individual has performed as promised). They may also conduct end-of-year audits known as opinion reports (statements made by the auditor about the results of the audit of a company's financial statements and internal controls).

SOC 2: Trust Services Criteria

SOC 2 is a set of standards that guide establishing, implementing, and maintaining effective information security controls for software as a service (SaaS) companies like CloudApp. SOC 2 compliance helps a services company to identify, monitor, and remediate vulnerabilities in your IT infrastructure. 

SOC 3: Trust Services Criteria for General Use Report

SOC 3 sets the standards for organizations providing security controls to safeguard customer data in an era of widespread Internet use by individuals accessing web-based information and services using electronic devices.


These reports meet the needs of a broad range of users who require detailed information and assurance about controls at a service organization. Reports will include information relevant to the security, availability, and processing integrity of the systems the service organization uses and the confidentiality and privacy of the data processed by these systems. 


These reports play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight


Any CPA can audit organizations for SOC compliance. However, having independent outside auditors verifies, without bias, whether management is compliant.

How Does SOC 2 Compliance Work?

Lets take a look at both the trust service criteria audit framework and the trust service criteria report.

SOC 2: Trust Service Criteria Audit Framework 

SOC 2 audits are comprehensive. Let's take a look at what goes into determining SOC 2 compliance:


  • Security controls designed to protect information assets or resources from unauthorized use, improper disclosure, or modification
  • Security policy audit 
  • Security policy compliance audit
  • Security policy evaluation


Availability: A set of controls designed to ensure that information assets or resources are available when needed and in the appropriate sequence.


  • Identification and authentication for individuals
  • Identification: access control based on authentication.
  • Authentication: multi-level authentication scheme for individuals


  • Group identification and authentication
  • Identification: access control based on group membership
  • Authentication: multi-level group level authentication scheme for individuals to gain access to information resources
  • Authentication: multi-level authentication scheme for individuals

 

Processing Integrity: A set of controls designed to ensure that processing functions are performed correctly and without unauthorized modification or interference.


Confidentiality: A set of controls designed to ensure that only authorized users only have access to confidential data (including non-public data) and are denied access if not approved. These controls also prevent hacking. 


Privacy: A set of controls designed to ensure that personal information is protected both electronically and physically from unauthorized access, destruction, use, modification, or disclosure.


Security Awareness and Training: A program that ensures employees understand the risks related to IT security and the actions they can take to help prevent security threats.


Incident Response Planning: A plan that details the process for detecting events, notifying management, and implementing a response plan when security incidents occur.


Testing/Assessment: Procedures for determining the effectiveness of a system's compliance with its security requirements by verifying adherence to security policies.


Configuration Management Processes: Procedures used for maintaining documentation on security settings to ensure consistent enforcement of information security safeguards across relevant technology platform components (e.g., firewall settings).


IT Asset Disposal Process and Procedures: Key processes for identifying IT assets subject to enterprise disposition processes. Assets that require further consideration, based on functional value or business criticalness, are documented and included in the process.

SOC 2: Trust Service Criteria Report

If you have worked with audit reports, this report will look familiar. However, it will be specific to services and company organization, not financial information.


Evaluation of Control Activities: The first part of the report lists the control activities present within the organization. These activities guide all aspects of an organization’s technical and business operations. 


The second part of the report is similar to a register of deficiencies. It outlines what parts of an operating system did not demonstrate adequate controls in relation to critical elements. Areas noted for improvement should be addressed promptly. 


Qualified Opinion (optional): Reports whether the auditor believes that proper controls are in place unless otherwise noted. A qualified opinion indicates areas of exceptions, allowing for a more detailed listing for remediation purposes. 


A qualified opinion may be issued because an area of concern has not been adequately resolved despite all efforts made to fix it. Once this is rectified, a subsequent report should be presented with a clean opinion.


Explanation and Responses (E&R): This section provides an opportunity for the auditors to explain their concerns on the procedures and reporting requirements of information security controls and address other audit requirements necessary for organizations to comply with the regulations correctly.


Report on Other Information Technology Controls: This may occasionally be included in a SOC 2 report if any information technology controls other than those related to information security are assessed during an audit.


Testing Results: This section summarizes the results obtained during testing of controls within an operating system and indicates whether they can maintain adequate security protections. 


Attestation Engagements by Others (AEoO): Should any entity outside of a company’s information security department perform any tasks related to security management or privacy and data protection, these instances should be clearly delineated in this section. 

CloudApp is SOC 2 Type II Compliant

Why SOC 2 Compliance Makes Sense

A SOC 1 audit wouldn’t be appropriate for CloudApp because we don’t impact a customer’s internal control over financial reporting, and the SOC 3 report is a general use version of the SOC 2 findings meant for public consumption. 


CloudApp SOC 2 compliance is an integral part of evaluating our organization’s security strategy. Many businesses today have complex supply chains and are heavily dependent on third parties. A SOC 2 certification confirms that an organization is compliant with industry standards governing internal controls, ensuring reliability and consistency in service delivery.


The value of SOC 2 Compliance is that it provides an objective measure of the effectiveness of your security programs. It also serves as a framework for continuous improvement as it allows you to assess risks against industry standards and assurance that you are meeting those standards. 

SOC 2 Type 1 vs. Type 2 Compliance

There are two levels of SOC 2 compliance: Type 1 and Type 2. However, since every organization’s internal technology — the networks, applications, operating and development environments — are unique, it may not be immediately apparent how the two levels of  SOC 2 compliance impact an organization’s security posture.  


Length of Audit: Type 1 compliance takes a single snapshot to see if a service organization is compliant. SOC 2 Type 2 requires audits of production systems on an ongoing basis and assists with risk assessments. A Type 1 SOC 2 compliant organization may not pass a Type 2 audit if they can’t maintain compliance over the long haul.


Show and Tell: Type 1 compliance proves that an organization understands the necessary security procedures. They can tell an auditor about security. Type 1 compliance demonstrates that an organization can tell and show they follow required security procedures over a period of time.


Talk is Cheap: Because Type 2 compliance requires a more extended audit over time, it represents a much more significant financial investment in ensuring that we protect the privacy and integrity of our customers’ data.


If you are an enterprise looking for a company-wide screenshot and screen recording solution, CloudApp is the answer. Being the only SOC 2 Type II certified provider, we have a competitive advantage over our competitors.


Join the Discussion