Let’s start off by defining SOC 2 (System and Organization Control Requirements). SOC 2 defines requirements for system security, availability, confidentiality, data processing integrity and data privacy in an organization. With ever-increasing frequency, technology service providers are being questioned about these elements.
Why is SOC 2 important for MSPs and XaaS Vendors?
As regulators place growing pressure on MSP customers to demonstrate these system and data characteristics, the customers will drive some of that responsibility through to the MSPs themselves. They want to feel comfortable that as MSPs manage their IT infrastructure and/or their end-user systems, their data remains safe. Customers also have expectations that the vendors serving MSPs are compliant. Customers do not want to be on the regulators’ radar and surely do not want to show up on the front page of a newspaper for breach of any requirements (and neither do IT service providers)!
What are the steps of a SOC 2 engagement?
First, a clearly defined readiness assessment process determines the state of systems and internal control processes. Once the remediation of gaps is completed, the SOC 2 examination begins. The results are then presented in a report, which provides evidence that controls are in place and operating properly; that they meet the appropriate, pre-defined and agreed-upon criteria, and that they are effective. The report will provide insights and actionable results.
How frequently should SOC 2 assessments be conducted?
After the initial assessment and reporting, reviews should be completed at least every 12 months.
So what does a SOC 2 assessment do for an MSP or Vendor?
In short: it mitigates the risk to MSPs, XaaS vendors and their customers. As it demonstrates the compliance and offers transparency for customers, SOC 2 reports quickly become a differentiator; a competitive advantage! Think about the statement that is made when a SOC 2 report is voluntarily and proactively added to a proposal or engagement letter. In addition, it makes adhoc reports and customer onsite visits unnecessary, increasing provider productivity.
“Why can I not do it myself?”
Most regulators request an independent auditor to conduct an examination for an organization’s internal controls. In addition, a report completed by an outside, independent source delivers transparency for customers and assurance that their security needs are met.
Meet Our Team
Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.
With a broad base of experience in multiple audit disciplines, Sean offers a well-rounded approach to technology consulting. He specializes in System and Organization Controls (SOC) examinations, building strong foundations of trust with his clients and striving to implement creative ways to test controls when standard approaches are no longer viable.
Let's Start a Conversation
This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.
We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.