Don’t Be Fooled by Phony SOC Reports

A credit union guide to cloud provider due diligence. Part II

In this 4-part series we dig into what credit unions should be looking for in SOC reports. As credit unions research Loan Origination Systems and other cloud-based solutions we point out the value of working with a provider that has done detailed work to earn their SOC Certifications.

Current Standards

Although the NCUA does not require any specific standards to which a credit union’s due diligence efforts must adhere, the Service Organization Control (SOC) assessment has emerged as the de facto standard across all industries for evaluating cloud-based service providers. SOC assessments were developed by the American Institute of Certified Public Accountants and can only be performed by AICPA-certified CPA firms. There are three types of SOC assessments:

#1: SOC 1

SOC 1 looks at controls at a service organization relevant to the provider’s internal control over financial reporting. It focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives as of a specified date. It can optionally offer the CPA’s assessment on the operating effectiveness of the controls to achieve the related control objectives as stated by the vendor. The standard assessment is called a SOC 1 Type 1, while the enhanced version is called a SOC 1 Type 2. SOC 1 reports are typically used internally by the vendor to ensure that adequate control levels are maintained.

#2: SOC 2

SOC 2 assessments consider a cloud vendor’s controls based on the trust principles of security, availability, processing integrity and confidentiality of PII/NPI. Like the SOC 1, there are SOC 2 Type 1 and Type 2 assessments. The SOC 2 Type 1 examines controls as of a specific point in time and establishes the basis for the SOC 2 Type 2 report. The SOC 2 Type 2 audit evaluates the suitability, design and operating efficiency of controls over a period of time. A SOC 2 Type 2 report should be completed at least annually.

Because a SOC 2 Type 2 report includes detailed information about a provider’s technology environment, these reports are only available to parties outside the vendor – e.g., a credit union – after a non-disclosure agreement (NDA) has been executed. Each subsequent SOC 2 Type 2 assessment accounts for both changes made by the AICPA and for changes instituted by the vendor.

#3: SOC 3

A SOC 3 report covers the same topics as a SOC 2 Type 2 report, serving as somewhat of an executive summary of the SOC 2 Type 2. The SOC 3 furthermore provides assurance that the auditor has issued an unqualified opinion, meaning an opinion without caveats, affirming that the evaluated provider has met all SOC 2 Type 2 requirements. In other words, it assures the credit union that the provider has achieved a clean SOC 2 Type 2 certification and the auditor believes the product or service, as well as its operations, to be secure and safe. The SOC 3 report was designed to serve as a marketing tool and can therefore be distributed outside the organization. For example, a cloud vendor might put a copy of its SOC 3 report about a LOS platform it offers on its website for on-demand consumption by its customers and prospects. SOC 3 reports are issued in conjunction with the corresponding SOC 2 Type 2 assessment.

About Sync1 Systems

Sync 1 Systems, a fully SOC-certified technology CUSO, is the developer of the industry’s first 100% cloud-based Loan Origination System (LOS). The Sync1 product is not an on-premise product that was repurposed for cloud deployment; it was designed from the ground up to take full advantage of the features and benefits of a true cloud deployment. A copy of Sync1’s current SOC 3 report is available on request.

For additional information about Sync1 Systems or any information presented in this paper, please feel free to contact us at or (888) 200-7801

Pin It on Pinterest

Share This