SOC(System and Organization Controls)

Glossary

「SOC（System and Organization Controls）」

This glossary explains various keywords that will help you understand the mindset necessary for data utilization and successful DX.
This time, we will explain "SOC" (System and Organization Controls), which will have an impact on the future of data utilization, and through that, we will consider issues related to data utilization.

What is SOC (System and Organization Controls)?

SOC (System and Organization Controls) is an external audit certification system established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Certified Public Accountants (CICA).
As IT has become widely used in business activities in recent years, accounting audits also require audits of IT services and systems that support a company's economic activities, and this system was created to certify that IT and its operational status meet the standards that must be met for audits. It is also used as a means of obtaining certification for IT services and systems that are not limited to accounting audits.

The need for accounting audits

A "state of business report" is necessary to make the current economic system function.

What is an accounting audit? In Japan, there is a national qualification called a "certified public accountant" who is a specialist in this field. But what do certified public accountants do? Some people may think that they handle administrative tasks related to the company's finances (accounting, tax, finance), and it is true that they do some of that work.

However, the qualification system fulfills another important social mission. Certified public accountants are a system created to "inspect the financial statements that companies publish to ensure there are no errors or lies." So why do we need a full-fledged qualification system and experts for "inspection"? Without inspection, bad things could happen to society, and major incidents could occur that could affect the entire economy.

Much of the world's economic activity is carried out by "corporations." This is a system in which shareholders invest, use those funds to operate a business, generate profits, and pay dividends to shareholders. If the business is running smoothly, the company will make a profit, dividends to shareholders will increase, and the stock price will rise, but if the business is not running smoothly, the company will go bankrupt, the stock will become worthless, and the money invested will be wasted.

The key point is that the investor is an outside third party, not a boss-subordinate relationship on the same team. The larger the business, the more investment is required, and the more necessary it is to have a system that allows even people who are completely unfamiliar with the actual situation to invest. It is necessary to create a situation where even such people can decide whether it is okay to invest or own shares.

In other words, in order to successfully operate the mechanisms of corporations (and the stock market) and develop the economy, it is necessary to establish a system that allows external parties to understand whether a company is being managed well. This is a crucial issue for society as a whole, so it must be addressed even if it means expending extra time and money. For this reason, corporations are required to periodically issue reports (financial statements) that report their financial condition (business status).

If judged solely on the basis of financial statements (motive for fraud)

However, in other words, the judgment is not based on the actual business situation itself, but on financial statements, which are merely paper. So what would happen if a company falsified the contents of its financial statements? If it pretended to be profitable when it actually wasn't, it would attract investment. If it lied, it could raise money. In particular, when a company is on the verge of bankruptcy and desperately needs funds to survive, it is easy to be tempted to raise funds by reporting fraudulent information.

There have been many cases in which companies have systematically raised money through false, unfounded lies, only to run off with the money and go bankrupt. Even though they had long since gone bankrupt, they continued to raise funds through lies to keep themselves afloat, resulting in massive bankruptcies with snowballing bad debts, leading to chain bankruptcies and shareholder bankruptcies that have wreaked havoc on the economy of entire nations. Unfortunately, such cases have continued into recent years.

What can be done to prevent such incidents? Such incidents can be reduced by making sure that financial reports are free of errors and lies. Therefore, a system of experts was created to thoroughly inspect financial reports to ensure they are in line with reality and, in some cases, to detect accounting fraud and check the contents of financial statements. This system is called the "Certified Public Accountant" system.

Accounting Audits in the IT Era

Traditionally, the economic activities of companies that are subject to accounting audits have been recorded and managed mainly using paper documents. However, in recent years, the use of IT in corporate activities has progressed, and the evidence of both the economic activities of companies themselves and the activities that are subject to audits is increasingly being recorded electronically.

The accounting audit work explained so far is now also required to be performed on electronic records, IT systems, and more recently cloud services, etc. From another perspective, even for companies that need to have their financial statements audited and approved, dealing with paper documents alone is no longer enough.

However, unlike the task of flipping through paper ledgers, when working with IT systems, IT knowledge is required in addition to the knowledge of a certified public accountant. Furthermore, it is not easy to detect mistakes or fraud in digital data, which is easily altered. It would be troubling if you were given an Excel file with a large number of numbers entered and asked to check the data for mistakes or elaborate window dressing, and to take responsibility for the results of the check. Yet, this is what we are forced to do.

So, is traditional paper-based work better? Not necessarily. There is a social demand to eliminate paper-based work and digitize it, and it's not good to have to go to the office just to stamp a seal. If you continue to process money on paper because it's difficult to handle audits, you'll be causing trouble for other people.

But what if IT was designed with audits in mind? For example, if the accounting system itself had mechanisms to prevent fraud, such as a system that records who entered or changed data, when, and on what basis, and a system that prevents data and logs from being erased and made to disappear, then it would actually be possible to carry out more thorough checks than traditional accounting audits.

In recent years, efforts have been made to develop systems that certify that IT systems are suitable for accounting audits. One such initiative is the external audit certification system that confirms that an IT system meets the standards set by System and Organization Controls (SOC).

SOC1 report

The SOC1 report is a report that verifies and certifies, from an accounting audit perspective, whether an organizational structure is in place that makes it easy to confirm that "no fraudulent accounting has occurred," as explained above.

Rather than just checking IT systems from an IT perspective, the overall situation, including the organization's operational status, is checked to see if it is appropriate from an accounting audit perspective. For example, it is checked that the system has the functions necessary for an accounting audit, such as the ability to prevent unauthorized data tampering, and that data is controlled on the system and a trail of various data manipulations necessary for audits is left, and that these functions are being operated appropriately.

On the other hand, other aspects (such as information security and privacy protection) are not checked, so even if a company has undergone a rigorous SOC1 check, it cannot be said that the checks have been thorough from the perspective of general safety and security.

SOC2 report

A SOC2 report is a report that audits and certifies IT services and systems primarily from an IT perspective, rather than from an accounting audit perspective.

Specifically, an audit is conducted in one or more of the five areas of "security," "availability," "integrity," "confidentiality," and "privacy," and the results are reported. In some cases, the audit is more thorough than SOC1 in that area. Conversely, even if a company claims to have undergone a SOC2 check, it may only have undergone security checks and not any other checks.

While certification is significant in terms of external appeal, responding to audits and continually meeting standards can be costly for IT development work and can slow down the release speed of products and services. Being able to choose the perspective from which to obtain certification allows you to consider trade-offs and narrow down to the areas that are most important to you.

SOC3 report

The purpose of the report is to make it publicly available. Audit reports are generally not intended to be made public, and the contents of the report themselves are not made public, for example, by signing an NDA (non-disclosure agreement) between the auditing firm and the company being audited. SOC1 and SOC2 reports fall into this category.

In contrast, SOC3 is a report for general use, and is intended to be made public in terms of content, ease of understanding, and length.

Type 1 and Type 2

There are two types of reports: Type 1 and Type 2. Type 1 reports are the results of an audit of the situation at a certain point in time. However, this alone can lead to suspicions that the audit is only being conducted at a convenient time, or that the situation is being covered up just for that moment (the original purpose of this was to clear up suspicions of accounting fraud). Therefore, Type 2 reports are created based on the results of audits that have been conducted continuously for more than six months.

How can you use SOC1/2/3 reports?

Facilitate accounting audits

If a company is SOC compliant, the contents recorded in the IT system are trustworthy from the perspective of a certified public accountant, which makes each audit smoother and increases the reliability of the results. This should reduce audit costs and increase the reliability of financial statements.

It can be sold as IT that can make accounting audits smoother.

If your company's software products or cloud services are SOC-compliant, it is proof that they have been approved by a certified public accountant. Therefore, if you introduce them, you can advertise that they are at a level that will allow you to smoothly handle accounting audits.

It can be used as a way to promote the "refined" nature of your company's products.

It can be used as a means to communicate that a product or service is a reliable IT system in general, as it meets the standards required for accounting audits. With SOC3 in particular, you can not only say "compliant," but also publish the audit report itself, and you can also publicize what checks were made and what judgments were reached.

It can be used as a reference when introducing IT products and cloud services in your company.

The quality of IT products varies widely, and high quality is especially required for business-related IT, but the process of assessing products is not easy. If you believe a product is advertised as being good and decide to install it, you may end up with a series of problems some time after installation, which can cause serious problems.

For example, if you are just creating software without regard for quality or security, it is unlikely that you will be able to obtain SOC certification, so it can be a way to determine whether a certain standard is met. In particular, SOC2 is not an audit-based approach, so it should be easy for IT personnel to use as a basis for their own judgment.

Examples of use on AWS

AWS (Amazon Web Services) provides a function that allows cloud service subscribers to download the SOC1 and SOC2 reports for AWS itself, and also makes the SOC3 report available for anyone to download.

Recently, it has become commonplace to use cloud computing for business systems, but until recently, there were voices questioning whether it was okay to use something like the cloud for business purposes. In such a situation, it could be used as a way to show that "it is also SOC compatible."

Related keywords (for further understanding)

PCI DSS
- This is a security standard imposed by the credit card industry on IT systems that handle credit card numbers and other cardholder information. It was created in response to the rise of the Internet era, where incidents such as large-scale card number leaks have become commonplace. This standard can also be used as a means of certifying that an IT system and structure capable of handling credit card information is in place.
GDPR (General Data Protection Regulation)
- This is a regulation that stipulates what must be considered when handling "personal data" in the European Union (EU). It can be said that it sets out what must be done to handle data in a way that respects human rights, as the EU sees it.
File Linkage
- It is a means of communication that serves as the foundation for IT systems that support various corporate activities. When it comes to data handled in business, especially in the use of IT related to administrative processing and accounting, exchanging data in file format is very common.
  File sharing may seem old-fashioned compared to the popular sharing methods and technologies of today, but it still has many advantages and remains the foundation that supports the business activities of many companies today.
MFT（Managed File Transfer）
- A collaboration platform that realizes file-based collaboration processing with a high level of "safety, security, and reliability" that can support business activities. This term refers to file transfers that are not just capable of transferring files, but also have features that ensure file transfer is carried out correctly, are secure and safe, and leave a transfer log that can be checked and managed, as well as the infrastructure that makes this possible.
  It can be used as a means to realize IT systems that require a high level of reliability, such as for operations where no errors are allowed or for audit compliance. Transfers are carried out without error, and even if a transfer fails, it can be properly checked, making it less likely that problems will occur between companies, such as files being sent or not being sent.

Are you interested in file transfer (MFT)?

If you are interested, please try out the product that brings the world of file sharing to life.

The definitive MFT "HULFT"

Please try out HULFT, the pinnacle of domestic MFT products with an overwhelming track record in Japan and the de facto standard for file integration platforms.

It has an overwhelming track record, having been used for many years as the infrastructure for financial institutions that require the highest level of support for their IT systems. A world where all environments are connected by files can be created in an instant.

HULFT is now compatible with the latest IT environments, including integration with cloud services, and is used in situations where high performance is required, such as high-speed transfer of large files and transfer processing of large volumes of files.

⇒ Learn about the mechanisms of file transfer through HULFT product introduction and online seminars

"HULFT WebConnect" allows you to use HULFT 's safe and secure file transfer via the Internet

"HULFT WebConnect" is a cloud service that allows you to use HULFT 's safe, secure and reliable file transfer via the Internet. It is a solid, enterprise-class service that can be used not only between your own company's bases, but also between overseas branches and business partners. File Linkage This can be achieved simply by using a regular internet connection.

Transfers via HULFT can be made across the Internet.
Low cost as there is no need for costly dedicated lines or VPNs
Because it is a cloud service, you can start using it immediately without having to perform any operational work yourself.
The specifications are designed to be audit-friendly, such as not leaving any information on the transfer path.
There are various considerations when using a service with a different company
It has functions that can be used as a foundation for securely exchanging invoices, purchase orders, etc. with multiple business partners (including an easy-to-use dedicated client).

⇒ WebConnect product introduction and online seminar

SOC(System and Organization Controls)