SOC Compliance For IT Providers
OnRamp SOC Audit Report
In order to protect organizations that outsource their IT functions—cloud computing and data storage, for instance—The American Institute of Certified Public Accountants (AICPA) developed the Service Organization Controls (SOC) standards to safeguard the privacy and confidentiality of information stored and processed in the cloud.
OnRamp’s Service Organization Controls (SOC) Reports are conducted by an independent third-party as an examination of key compliance controls and objectives. The purpose of the report is to help potential customers, partners and auditors understand OnRamp’s standards, established to support compliance and build trust in the service provider’s service execution.
OnRamp has achieved SOC 2 Type 2, and SOC 3 Report
|SOC 1||SOC 2||SOC 3|
|What is the report?||Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16)||Report on the General Information Technology Process pertaining to the Austin I (Texas), Austin II (T.X.) and Raleigh (N.C.) Data centers relevant to Security, Availability and Confidentiality||A public report proving that OnRamp has met the AICPA Trust Services Security, Availability & Confidentiality Principles and Requirements|
|What standards are used to perform the audit for the report?||AICPA: AT 801, Reporting on Controls at a Service Organization||AICPA: AT 101, Attest Engagements
TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
|AICPA: AT 101, Attest Engagements
The criteria for evaluating the controls are the criteria in TSP section 100 that are relevant to the principle being reported on (the same criteria as in a SOC 2)
|Who is the audience for the report?||Entities that use service organizations and their auditors||Organizations with business needs||Wide range of users who need assurance about the controls and standards of a service organization that process information.|
|What time periods do the reports cover?||(Upgraded to SOC 2 & SOC 3).||November 1, 2015 to October 31, 2016||November 1, 2015 to October 31, 2016|
Frequently Asked Questions
What is the AT 801 standard?
Attestation Standard Section 801 (AT 801) is a standard developed for service organizations to independently report on compliance related policies, procedures and controls. It is intended to guide the auditors who assess OnRamp’s services, and provides an independent opinion of the internal controls that are relevant to a customer. AT 801 is issues by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and supersedes the prior controls guidance standards known as SSAE 16 and SAS 70.
How often are the OnRamp SOC reports issued?
OnRamp issues reports (conducted by a third-party) covering a 6-month period on an annual basis. The report is based on an audit against the SOC framework.
How can I get copies of SOC reports?
OnRamp’s SOC 2 report is available to customers upon request. The OnRamp SOC 3 Report is public and can be found here.
Is a non-disclosure agreement (NDA) required to receive the OnRamp SOC reports?
You do not need an NDA to view OnRamp’s SOC 3 report. You do, however, need to sign an NDA to review OnRamp’s SOC 2 report. Please note that the SOC 3 report is a summary of the SOC 2 report; it outlines OnRamp’s ability to meet the AICPA’s Trust Security Principles in SOC 2 and includes the third-party auditor’s opinion of OnRamp’s operation of controls.
Where can I find additional resources for my organization’s compliance efforts?
- The SOC Toolkit for Service Organizations offers comprehensive information to better understand the SOC reporting process.
- This Information for Management of a Service Organization guide provides comprehensive background information about the reports, and outlines service organizations’ responsibilities in order to meet the trust principles.
- The AICPA.org website