Credentials Explains: What is SOC 2?

by Rose Addison, Manager of Documentation & Training | Feb 01, 2017

 
SOC 2® is the next generation of globally recognized SAS 70 auditing standards, which were set forth by the AICPA in 1992 and centered around financial reporting.[1] As the Internet grew and cloud computing and web services became ubiquitous, the AICPA updated its standards to meet the needs of the information age and its new business models.

Today, many universities automate or outsource administrative tasks: student portals, transcript orders and degree verification are just a few examples. While transcripts on demand and round-the-clock access to information are certainly convenient for students, the decentralization of data increases the risk for its exposure. SOC 2 is designed to mitigate this risk through independent auditing of technology service providers (also known as “service organizations”) and their systems.[2]

Trust Services Principles

A SOC 2 Report is performed by a certified, independent auditor (e.g., an accounting firm), and focuses on a set of Trust Services Principles, including:[3]

  • Security – Both physical and virtual access to systems and data are protected from unauthorized users
  • Availability – Products and/or services are available for use as set forth in the vendor agreement
  • Processing Integrity – A system works the way it’s supposed to: login credentials are verified, transcripts are processed on time, accurate results are returned, etc.
  • Confidentiality – Sensitive information is kept secure as agreed in the vendor contract and in compliance with any regulatory standards
  • Privacy – The disclosure, retention and disposal of personal data complies with Generally Accepted Privacy Principles (GAPP) that are published and maintained by the American Institute of Certified Public Accountants (AICPA) and CPA Canada

An Extra Layer of Assurance

Universities are ultimately responsible for any and all data breaches, and though they may already have a set of requirements in place for their service providers, SOC 2 certification offers an extra layer of assurance. A wide range of vendors – from cloud storage firms to SaaS (“Software as a Service”) companies – may voluntarily undergo a SOC 2 audit. Upon successful completion and certification, audits are typically performed on an annual basis.[4]



[1] Evolution of SAS 70 to SOC Reports. (2012). American Institute of Certified Public Accountants (AICPA). Retrieved from https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/sas70_soc_reportsinfographic.pdf 
[2] Service Organization Controls (SOC) Reports for Service Organizations. AICPA. Retrieved from   https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization'sManagement.aspx
[3] Explaining SOC: Easy as 1-2-3. (2012). James C. Bourke, AICPA. Retrieved from https://www.aicpastore.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2012/CPA/Jun/Easy123.jsp      
[4] Expanding Service Organization Controls Reporting. (2011). Chris Halterman, Journal of Accountancy. Retrieved from http://www.journalofaccountancy.com/Issues/2011/Jul/20103500