There are three (3) major benefits to achieving accreditation through the more established SOC 2 reporting standard.
The Consumer Data Right has been live since July 2020. There’s a handful of accredited data recipients and hundreds of others planning towards it.
One of the major, and perhaps most limiting requirements, is the assurance report. This is to protect the security and privacy of Australian consumers, which is critical to the long term success of Open Banking and the Consumer Data Right. A SOC Type 1 report is required for initial accreditation to verify the information security and privacy controls. A point of confusion with this requirement is what a SOC report actually is, and how that relates to ASAE 3150, SOC 1 or SOC 2 (the three report types noted by the ACCC for accreditation).
SOC is just an acronym - initially Service Organisation Control, now more commonly referred to as System and Organisational Controls. Whatever you want to call it, it’s just a methodology for reporting over an organisations controls (ASAE 3150 is a SOC report, like "SOC 1" and "SOC 2"). SOC reports require an audit and report to verify the controls meet a set of criteria, objectives, or requirements. The reports are intended for third-party users like your customers, regulators, investors, etc.
ASAE 3150, as specified by the CDR, is the Australian equivalent of the international standard ISAE 3150, and American standard AT-C 105 and 205. For all intents and purposes, these underlying standards are the same thing. The terms "SOC 1" and "SOC 2" were introduced to differentiate between the two main purposes of SOC reports (SOC 1 -integrity of financial systems and data, and SOC 2 - technology risk and controls).
SOC 2 has become a leading global standard. It can be issued under the American standard (officially recognised by the AICPA), or under ASAE 3150 as an “Australian equivalent”. Any big name software or infrastructure provider you use, issues SOC 2 reports to share with their customers. AssuranceLab is the leading provider of SOC 2 (by volume) in Australia and New Zealand, partnered with American CPA firms to issue the "official" reports under the American standard.
The CDR Schedule 2 and the Trust Services Criteria (“SOC 2”), use the same underlying standards and methodology. The Trust Services Criteria are recognised globally, while the CDR Schedule 2 is designed solely for the purposes of accreditation by the ACCC. They both follow all the same principles - how to scope the systems and data environment, consideration of third party service providers (carve in vs. carve out), and mapping and testing of the controls to meet the criteria through suitability of design, and then by operating effectiveness (Type 2 reports). The CDR Schedule 2 is slightly more specific in some areas and less in others. The flexible SOC 2 approach has criteria rather than prescribed controls/requirements. SOC 2 can be used to specifically address the CDR Schedule 2 requirements to be used for accreditation and broader purposes. This approach is termed “SOC 2 Plus CDR”.
There are three key benefits!
Read more in our post How to Align Your SOC 2 to the CDR.