SOC (System and Organization Controls) reports are standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the effectiveness of internal controls over the financial reporting of service organizations.
These reports help service organizations to demonstrate their commitment to security, availability, processing integrity, confidentiality, and privacy to their clients and other stakeholders. The report is intended for users who rely on the services provided by the service organization, such as customers, auditors, regulators, and other stakeholders.
Not all organizations require SOC reports, but they are particularly relevant for companies that provide services critical to their customers’ operations, especially those that handle sensitive or confidential data.
When Is SOC Reporting Required?
A SOC (System and Organization Controls) report may be required when a service organization provides services that are critical to its customers’ operations, particularly when those services involve the handling of sensitive or confidential data.
Such services include data hosting, cloud computing, payroll processing, and healthcare claims processing. In many cases, the service organization’s customers may request a SOC report to assure that the organization has appropriate controls to protect their data’s security, availability, processing integrity, confidentiality, and privacy.
Additionally, regulatory requirements or contractual obligations may also require a SOC report. Ultimately, the decision to obtain a SOC report will depend on the specific circumstances of the service organization and its customers.
What Are The Different Types of SOC Reports?
There are three types of SOC reports:
SOC 1
A SOC 1 report, also known as an attestation report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, is a type of audit report that assures the design and operating effectiveness of internal controls over financial reporting. SOC 1 reports are typically used by financial institutions and other organizations that are required to comply with specific regulations, such as the Sarbanes-Oxley Act of 2002.
SOC 2
A SOC 2 report, also known as an attestation report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, is a type of audit report that assures the design and operating effectiveness of internal controls over one or more of the following trust service principles: security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are typically used by organizations that need to demonstrate to their customers, partners, or other stakeholders that they have implemented effective security controls.
SOC 3
A SOC 3 report, also known as a management report on controls at a service organization, is a type of audit report that provides a high-level overview of the design and operating effectiveness of internal controls over one or more of the following trust service principles: security, availability, processing integrity, confidentiality, or privacy. SOC 3 reports are typically used by organizations that want to share their security posture with their customers, partners, or other stakeholders.
SOC reports can be a valuable tool for companies that outsource services. They can help ensure that the service organization has adequate controls to protect the company’s data and assets.
Is a SOC Report Available for Sage 100?
According to this knowledgebase article created by Sage on June 14, 2022 (updated March 9, 2023), a SOC report is not required for Sage 100 since “Sage 100 is on-premise software where we do not conduct SOC audits.”
The article elaborates as follows:
- Available SOC reports (along with applicable bridge letters). [Not applicable, as Sage 100 is on-premise software where we do not conduct SOC audits].
- Audited Financials and, if applicable, bridge letter. [As a publicly-traded company, customers may review the financial information we make available on our investor webpage at https://www.sage.com/investors/financial-information/]
- Privacy Policy [Our privacy policy can be found at https://www.sage.com/en-us/legal/privacy-and-cookies/]
- Terms of Service [The end user license agreement governing a customer’s purchase of Sage 100 can be found at https://www.sage.com/en-us/legal/terms/]
- Business Continuity Plan/Test Results [Not applicable to on-premise software where we do not have access to a customer’s data]
- Copy of Information Security Policy [Not applicable to on-premise software where we do not have access to a customer’s data]
