Updated: Apr 18
“Our Cloud Service Provider already has a SOC 2 Type 2,
do we need our own SOC 2 as well?”
If you build your application on top of Cloud Service Provider (CSP), your company’s SOC 2 will not include the controls that are CSP's responsibility. So you have built a Software-as-a-Service (SaaS) application on top of CSP Infrastructure. CSP's like receive SOC 2 reports to demonstrate to stakeholders such as investors and clients that the their infrastructure is secure and available. In addition, users of CSP Infra want to know that CSP applied controls are effectively implemented. Leveraging the CSP SOC2 Infra to create your own SOC 2 compliant application is common amongst lnc SaaS solutions.
CSP's like AWS, Azure...etc are compliant with just about every standard and regulation you can think of. Using AWS or another provider for your IaaS is a great way to leverage another CSP SOC 2 controls to build a SOC 2 compliant application. Benefits of utilizing CSP SOC 2, the number of applicable SOC 2 controls covered in your report will be less than if you were responsible for those controls. A good audit firm will pass along the time savings associated with testing fewer controls and you should receive a savings on budgeted spending for your SOC 2 report. If you have other Sub-Service providers that are required to meet some of the SOC 2 criteria as they relate to your SaaS solution, this reduces those that are your own SaaS company’s responsibility as they relate to the applicable SOC 2 criteria.
The AICPA defines a service organization as “The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.”
As an example: lnc offers its clients a SaaS solution that is hosted by a Infrastructure-as-a-service (IaaS) CSP, which provides physical security, environmental control, and monitoring services for the SaaS / SaaS Solutions company. In this case, lnc is becomes a SaaS company / SaaS Solution provider is the service organization and the IaaS CSP is the Sub-Service organization. The Carved-out Audit Report method allows a service organization to describe services performed by a Sub-Service organization within its system description, but excludes the Sub-Service organization controls within the service organization’s SOC 2 report. While this approach excludes Sub-Service organizations’ controls, the service organization is required to note (within its description of its “system”) the controls used to effectively monitor the Sub-Service organization.
The AICPA defines an organization as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” You could also think of subservice organizations as the entities that service organizations outsource some of their operations to.
One of the recent updates provided within the AICPA’s SSAE 18 omnibus guidance includes additional Monitoring of Sub-Service Organizations. Service organizations should ensure they have monitoring controls for organizations in place. The monitoring should include obtaining SOC 1 and SOC 2 reports from Sub-Service organizations and reviewing the controls and results of control testing in the reports.If a SOC report is not available from a Sub-Service organization, reviews could include reviewing and reconciling output reports, holding discussions with the Sub-Service organization, site visits to the Sub-Service organization, and testing controls at the Sub-Service organization by members of the service organization’s internal audit function, etc.
To Summarize: It is customary for SaaS / SaaS Solutions companies to use Sub-Service organizations such as Infrastructure-as-a-service (IaaS) CSP. In these cases the SaaS company has outsourced the performance of certain controls to a Sub-Service provider. The controls outsourced to Infrastructure-as-a-service (IaaS) CSP may also address some of the SOC 2 criteria. In that case, the Service Organization (SaaS / SaaS Solutions company) should monitor the Sub-Service organization to ensure that they are performing the controls related to SOC 2 requirements consistently. This can be accomplished by reviewing Sub-Service Organizations SOC 2 report and the relevant areas to your SaaS service.
For more details write to : email@example.com and we will get you in touch with our sales team for SOC 2 Compliant SaaS Solutions with Partner CSP's like: AWS, Azure, VMware...etc
Author: Jawahar Bhatia