You may see SOCs labelled by companies as, "SOC certification" and "SOC certificate", and we wanted to explain just why that term is incorrect. SOC (Service Organization Control) reports are not a certificate.
SOC reports are not earned by studying or for completion of a project, they are an audit. The result is a single page opinion accompanied by a 50 to 60-page report. A SOC report does not offer pass or fail options. What it does offer is an opinion on the many aspects of internal controls and as such, should be read in detail for noncompliance items.
When it comes to data security, SOC reports are vital.
Specialized auditors spend time in a company completing a checklist and looking intimately through systems and controls. This is not an identified success or fail but a very detailed opinion from an expert auditor on how well the organization manages controls or where they have weaknesses. The organization can then act on the weaknesses uncovered.
An opinion will generally indicate one of three situations:
- Unqualified opinion: Everything is as it should be according to SOC and auditor guidelines. Complete perfection is rare due to the irregularities of human nature!
- Unqualified opinion with minor exceptions: This is the most common result. Almost every report will have this and it is rare to see a report with no exceptions. Examples of weaknesses may include employees leaving or joining the company, password strength, or manual process risks.
- Qualified opinion: Of the different areas covered in the report, one or more areas qualify as departing from GAAP, and the effect is material. For example, accounting revenue for a large debt from a bankrupt company with no security. This kind of opinion is serious, and should be addressed before you go further with this service provider.
Aptitude Software takes their SOC reports seriously because their software helps you manage your financial data in a secure environment.
Read further about SOC reports including, definitions, explanations, and examples: