Compliance

SOC


System and Organization Controls (SOC) reports demonstrate how certain key compliance controls and objectives are achieved for certain laws and regulations such as Sarbanes-Oxley (SOX): a United States (US) federal law that sets the requirements for all US public company boards, management, and public accounting firms. The SOC reports are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 18 determined by the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board (ASB).

Virtustream has completed Type 2 independent third-party certified public accounting (CPA) firm examinations of Virtustream Enterprise Cloud and its variants, and Virtustream Storage Cloud for a 12-month review period for the following reports:

  • SOC1 framework includes reports on internal controls including SSAE 18: an audit standard that is designed to address and clarify concerns over financial reporting of a service organization such as Virtustream and aligns to the International Standard on Assurance Engagements (ISAE) 3402 international reporting standards
  • SOC2 report includes security, availability, processing integrity, confidentiality, and privacy controls set by the AICPA. In addition, Virtustream has added the HIPAA/HITECH and CSA STAR controls to their SOC2 report for Virtustream Enterprise Cloud.
  • SOC3 report includes the Trust Principles as defined by the AICPA

Virtustream audit and attestation is conducted and renewed annually.

Virtustream cloud services subject to AICPA SOC commitments include: 

  • Virtustream Enterprise Cloud
  • Virtustream Federal Cloud
  • Virtustream Healthcare Cloud
  • Virtustream Storage Cloud

Region: United States

About SOC

The American Institute of Certified Public Accountants (AICPA), the professional organization for Certified Public Accountants (CPA), has established System and Organization Controls (SOC) reports to demonstrate how certain key compliance controls and objectives are achieved. The three (3) SOC reports include:

  • SOC 1: a report for service organizations that impact or may impact their clients' financial reporting
  • SOC 2: a report for service organizations that hold, store, or process information for their clients, but is not significant to financial reporting (e.g., would not affect their income statement or balance sheet)
  • SOC 3: a general-use report that does not contain a description of the service auditor’s test work and results

There are two different types of SOC reports:

  • Type 1: a report of procedures and controls an organization has put in place as of a point in time
  • Type 2: a report that has an audit period and provides evidence of how an organization operated its controls over a period of time