In the United States, the accounting profession is largely governed by the American Institute of Certified Public Accountants (AICPA). Accordingly, this is whom we defer to on application security in our profession.

The AICPA has set forth three “Service Organization Controls (SOC) Reports for Service Organizations.”

Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.  Each type of SOC report is designed to help service organizations meet specific user needs:

SOC 1 specifically refers to an organization’s controls over financial reporting. If you are going to store documents containing a company’s financial reporting information, then you will want to see that the app you are using has this certification.

If you are storing your clients accounting data (even backups) in a service, this one is important.

SOC 2 refers to Security, Availability, Processing Integrity, Confidentiality or Privacy.

This has to do with the processing of user data and the confidentiality and privacy of the information processed by these systems. This report is for internal stakeholders, such as management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.

Use of these reports is restricted.

Based on this, you are probably going to want to see this one on any service you are using for any client information.

SOC 3 – this is essentially the same as SOC 2, however this one is for general use and distribution. An SOC 3 Report (in all cases) will enable the service organization to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.

Any time I bring up one of these applications, everyone always asks about security. In order to truly understand whether or not you should trust the security of an application, especially as it applies to the accounting industry, it’s important to understand the above.

Then you have to set your standard. Do you only need to see one, two, or all three of these? The distinction between 2 & 3, is really only about whom they can show the report to. If a company has 1 & 2, you can probably trust the security. Essentially SOC 3 let’s them use their security attestation as a marketing tool – to sell you on how secure their system is.

COS 1 alone may not be enough, because it only refers to the security of financial information, and not user data. In other words, if the user data (username and passwords) are not protected, how secure is the rest?

I’ve given you the resources to educate yourself. As I review each application in this course, the first lesson on each will involve a look at the applications security, and whether or not it has any or all of these SOC Certifications.

Keep in mind that these things change. A company who doesn’t have all three today, may have them all by tomorrow or next week. So you have to do your own research. The good news is, Google makes that easy. Simply search by application name alongside the word “security” and you’ll find what you need in the results. Make sure you are on the applications website, and nowhere else. It’s important that you are reading about the source, FROM the source. This is not a subjective matter of opinion. Either they’ve had the reports issued, meaning they’ve been audited by an independent CPA firm for this, or they haven’t.

If you have clients in the healthcare industry, then you also need to assure yourself that the application has HIPPA compliant security. I believe only ONE of the services I’m reviewing in this course has that.

The AICPA website has some resources that help you understand all of this. I’m going to make your life easier by summarizing, as I’ve done above.

Here’s a case study that gives you a real-world example of how one company, Confirmation.com, a secure, online clearinghouse assures its users about the controls it implements regarding financial reporting, its systems and the data processed by those systems.

Putting SOC Reports to Work at Confirmation.com.

CPAs are the premier providers for SOC engagements. This flyer helps explain why a CPA is best suited to provide assurance on your service organization’s controls.

Why a CPA?

This flyer explains the three types of SOC reports and gives insights into the users who rely on each type of report.

Which SOC report is right for your organization?

The most important thing is that you have a documented internal process for vetting apps based on security, so that if any of your client’s data is ever compromised, you can show that you did your due diligence!