SOC 2 is a third-party audit of service organizations; a WISP is an internal security program required of financial institutions.
SOC 2 and a WISP serve different purposes. A SOC 2 report (Type 1 or Type 2) is an independent audit by a licensed CPA firm against the AICPA Trust Services Criteria, primarily issued by service organizations (SaaS, MSPs, payroll processors) to give their customers assurance about controls. A WISP is an internal document required of financial institutions (CPA firms, tax preparers) by the FTC Safeguards Rule and IRS Publication 4557. A CPA firm normally needs a WISP and may rely on SOC 2 reports from its vendors.
Confusion between the two is common. Some firms buy SOC 2 reports thinking they satisfy the FTC; they do not. SOC 2 audits a service provider, not your firm. Other firms believe a WISP is unnecessary because their MSP has a SOC 2; that is also wrong. Your firm needs its own WISP. You can use vendor SOC 2 reports as evidence of your service provider oversight under the FTC Safeguards Rule.
A documented set of policies and procedures describing how your firm protects sensitive client data.
The FTC Safeguards Rule requirement to select, contract with, and monitor vendors that handle your client data.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy