There’s a driving trend toward replacing in-house IT applications, systems and related processes with third-party services. Entrusting confidential customer information, trade secrets and employee data to outside parties, however, has made it important for organizations to demonstrate that data and systems are well-controlled and available, regardless of where the data resides.
Although responsibility for managing IT risk will always reside within the organization, the burden of assuring that appropriate controls are in place for outsourced processes and systems is being pushed down to the service provider. From this focus on the service organization's environment has come a groundswell of security and control questionnaires and vendor audits. For many, the Service Organization Control report (SOC 2), issued by a service auditor, has become the standard of choice.