Don’t Be Fooled by Phony SOC Reports

A credit union guide to cloud provider due diligence. Part IV

In this 4-part series we dig into what credit unions should be looking for in SOC reports. As credit unions research Loan Origination Systems and other cloud-based solutions we point out the value of working with a provider that has done detailed work to earn their SOC Certifications.

Legacy Standards

Credit unions should beware of vendors that claim to be “certified” when in fact this claim of certification is based on outdated standard. Thus, a brief history lesson is in order.

The AICPA developed the Statement on Auditing Standards No. 70 (SAS 70) in 1993. It was the industry standard evaluation for service organizations for 18 years. However, in 2011, the SAS 70 was replaced by the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This became the authoritative guidance for performing a service company’s examination.

In its ongoing efforts to keep pace with current technologies, procedures and controls, the AICPA developed the Standards for Attestation Engagements No. 18 (SSAE 18). The SSAE 18 became the official industry standard in May of 2017. Also, the SSAE 18 includes provisions for the SOC evaluations described in this document.

Unfortunately, some cloud vendors still talk about SAS 70s and SSAE 16s as if they’re relevant. They’re not. Any cloud vendor discussion of adherence to either or both of these legacy standards should serve as a red flag to the credit union.


SOC assessments, which are included as part of the current SSAE 18 standard, set the standard for due diligence evaluations of cloud-based software providers and their products and services, such as loan origination systems and platforms. To ensure the safety and integrity of its systems, every credit union should insist on SOC 2 Type 2 and SOC 3 assessments from every cloud-based vendor with which it does business.

These are the most important take-aways from this document:

  • While all SOC reports play an important role in cloud vendor due diligence, the most important of these reports is the SOC 2 Type 2 along with the corresponding SOC 3.
  • The purpose of the SOC 2 Type 2 evaluation is to examine a cloud software vendor’s controls based on the trust principles of security, availability, processing integrity and confidentiality of PII/NPI.
  • Important: Credit unions should require separate SOC 2 Type 2 reports from both the cloud software provider and the underlying cloud hosting provider.
  • SOC 2 Type 2 evaluations should be performed annually. Credit unions should pay close attention to the certification date of any SOC reports with which it’s presented and question any that are more than a year old.

About Sync1 Systems

Sync 1 Systems, a fully SOC-certified technology CUSO, is the developer of the industry’s first 100% cloud-based Loan Origination System (LOS). The Sync1 product is not an on-premise product that was repurposed for cloud deployment; it was designed from the ground up to take full advantage of the features and benefits of a true cloud deployment. A copy of Sync1’s current SOC 3 report is available on request.

For additional information about Sync1 Systems or any information presented in this paper, please feel free to contact us at or (888) 200-7801

Pin It on Pinterest

Share This