Why SOC 2 for CDR Accreditation?

There are three (3) major benefits to achieving accreditation through the more established SOC 2 reporting standard.

The Consumer Data Right has been live since July 2020. There’s a handful of accredited data recipients and hundreds of others planning towards it. 


One of the major, and perhaps most limiting requirements, is the assurance report. This is to protect the security and privacy of Australian consumers, which is critical to the long term success of Open Banking and the Consumer Data Right. A SOC Type 1 report is required for initial accreditation to verify the information security and privacy controls. A point of confusion with this requirement is what a SOC report actually is, and how that relates to ASAE 3150, SOC 1 or SOC 2 (the three report types noted by the ACCC for accreditation). 


What is a "SOC" report?


SOC is just an acronym - initially Service Organisation Control, now more commonly referred to as System and Organisational Controls. Whatever you want to call it, it’s just a methodology for reporting over an organisations controls (ASAE 3150 is a SOC report, like "SOC 1" and "SOC 2"). SOC reports require an audit and report to verify the controls meet a set of criteria, objectives, or requirements. The reports are intended for third party users like your customers, regulators, investors, etc.


ASAE 3150, as specified by the CDR, is the Australian equivalent of the international standard ISAE 3150, and American standard AT-C 105 and 205. For all intents and purposes, these underlying standards are the same thing. The terms "SOC 1" and "SOC 2" were introduced to differentiate between the two main purposes of SOC reports (SOC 1 -integrity of financial systems and data, and SOC 2 - technology risk and controls).


SOC 2 has become a leading global standard. It can be issued under the American standard (officially recognised by the AICPA), or under ASAE 3150 as an “Australian equivalent”. Any big name software or infrastructure provider you use, issues SOC 2 reports to share with their customers. AssuranceLab is the leading provider of SOC 2 (by volume) in Australia and New Zealand, partnered with American CPA firms to issue the "official" reports under the American standard.


What does that mean in the context of CDR Accreditation?


The CDR Schedule 2 and the Trust Services Criteria (“SOC 2”), use the same underlying standards and methodology. The Trust Services Criteria are recognised globally, while the CDR Schedule 2 is designed solely for the purposes of accreditation by the ACCC. They both follow all the same principles - how to scope the systems and data environment, consideration of third party service providers (carve in vs. carve out), and mapping and testing of the controls to meet the criteria through suitability of design, and then by operating effectiveness (Type 2 reports). The CDR Schedule 2 is slightly more specific in some areas and less in others. The flexible SOC 2 approach has criteria rather than prescribed controls/requirements. SOC 2 can be used to specifically address the CDR Schedule 2 requirements to be used for accreditation and broader purposes. This approach is termed “SOC 2 Plus CDR”.


Why SOC 2 Plus CDR?


There’s three key benefits!


1. The Trust Services Criteria (SOC 2) is globally recognised by enterprises, regulators, investors and others, to get more value out of your investment. You can use the official AICPA SOC logo to reflect your achievement.

2. The cost can be lower. SOC 2 has been practiced for over a decade. That means it has extensive supporting materials and clarity over how criteria and requirements are met with industry-standard business practices. Adapting a SOC 2 report and the supporting audit practices, rather than starting with a blank canvas for a CDR-specific ASAE 3150 report, is like using a template to draft your policies.


3. The CDR is less clearly defined in areas like Schedule 2, Part 1. The same requirements are well established in the criteria and common control practices for SOC 2. This makes it easier to follow the clearly formed SOC 2 approach.


Read more in our post How to Align Your SOC 2 to the CDR.

Some additional information in one line