Businesses are increasingly outsourcing basic functions such as data storage and access to applications to Software as a Service (SaaS) providers and other service organizations.
In response, the American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in a hosted environment.
This aligns with the International Standard on Assurance Engagements (ISAE), the reporting standard for international service organizations.
A SOC 2 audit gauges the effectiveness of a SaaS provider’s system based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 and SOC 3 reports.
At the conclusion of a SOC 2 audit, the service auditor renders an opinion in a SOC 2 Type 2 report, which describes the SaaS provider’s system and assesses the fairness of the SaaS provider’s description of its controls.
It also evaluates whether the SaaS provider’s controls are designed appropriately and were in operationon a specified date, and were operating effectively over a specified time period. Auditors can also create a SOC 3 report—an abbreviated version of the SOC 2 Type 2 audit report—for users who want assurance about the SaaS provider’s controls but don’t need a full SOC 2 report.
A SOC 3 report can be conferred only if the SaaS provider has an unqualified audit opinion for SOC 2.
PROCAS’s SaaS is audited at least annually against the SOC reporting framework by independent third-party auditors. The audit for PROCAS’s SaaS covers controls for data security as applicable to in-scope trust principles.
A SOC 2 Type 2 report is available to customers who have signed nondisclosure agreements with PROCAS. A SOC 3 Type 2 report is publicly available.