Click here for updates on Locus’ SOC 1 and SOC 2 reports.

When investing in EHS software, it’s important to choose a vendor and a system you can trust. SOC (“sock”) reports are one source of confidence.

As part of your research, you may come across a System and Organization Controls (SOC) report provided by the software vendor. A SOC report is a certification issued by a third-party CPA firm following an audit to attest that an organization has effectively managed controls related to security, availability, processing integrity, confidentiality, privacy of a system, and in some cases, its financial reporting. There are two main types of SOC reports. SOC 1 reports focus on the internal controls over the financial reporting system of the service provider, while SOC 2 reports pertain to the effectiveness of controls that are relevant to the security, confidentiality or privacy of a system used by the service provider to process customers’ information. Both audits and reports are subject to either Type 1 or Type 2 classifications, with the latter involving far more rigorous examinations.

Both SOC 1 and SOC 2 reports validate the robustness of an organization’s systems and processes, providing assurance to customers or potential customers that their data is safe and that controls are in place. These reports are created after completion of SOC audits, which span all pertinent information to identify any potential risks related to the scope of the audit. For most software purchases, the SOC 2 report is primarily of interest, since it covers the security of the software’s servers and data systems. The SOC 2 report not only covers security, but also availability, processing integrity, confidentiality, and privacy.

When requesting a SOC report during your EHS software research, it is important to understand not only the type of SOC audit that was completed, but also the scope of the audit itself.

Many software vendors will provide a SOC report, but if you review it carefully, you may notice that it is limited to the vendor’s data hosting service (e.g. Amazon Web Services or Azure) as opposed to the vendor itself. While it is important to assess security of the hosting service, that only covers part of the software’s overall footprint. The EHS software itself must be run and managed securely in order to protect confidential and private data, which is especially critical for certain EHS applications. The security and availability of the hosting service will not mean much if the EHS software itself is down or subject to security flaws.

If you are considering a software purchase for your organization, a SOC report can provide an excellent way to evaluate the integrity and security of potential systems, following a standardized protocol. But not all SOC reports are the same, and looking beyond the cover of the SOC report and understanding the scope and coverage of the SOC audit can help you avoid the potential pitfalls of buying EHS software that isn’t as secure or as available as you need it to be.

Want to learn more about Locus Software Solutions? Reach out to our product specialists today!

    Name

    Company Email

    Phone

    Tell us about your company's needs

    Locus is committed to preserving your privacy.