Picture this: As part of your service delivery model, your organization operates as a Software as a Service (“SaaS”) firm to customers leveraging a cloud provider (such as Amazon Web Services (“AWS”), Microsoft’s Azure or other). These cloud providers routinely undergo a SOC examination and forward the report on to you (like any other user). Your client is asking you for a copy of your SOC report. No problem! You just forward the cloud provider’s SOC report on to them. You don’t need to do anything else, right?

Wrong!

Your Controls Matter

Although obtaining and reviewing the controls set forth in the cloud provider’s SOC report is an important monitoring control that should happen on a regular basis, the combination of the cloud provider’s controls AND your controls constitute the total control environment of your SaaS solution.

Typically, you are contracting with the cloud provider for infrastructure services such as virtual servers, operating system management, storage and performance monitoring tools. In a traditional co-location facility, the provider is typically responsible for “pipe, power and space”.

As a SaaS provider, you are responsible for the controls surrounding application development, on-boarding and off-boarding customers and control over access to the environment (and your customer’s data), to name a few.

What Does This Mean?

You should expect your customers and prospects to request both a SOC report of your SaaS operations as well as the SOC report of any cloud service or co-location providers. The inability of you to be able to satisfy this request could lead to a loss of clients and/or failure to secure new business; along with the peace of mind knowing that controls over your business processes are adequate.

Questions on SOC Examination Issues? Reach out to our Information Technology Experts today.