System and organization controls reports for Fusion SaaS Cloud applications

April 8, 2024 | 4 minute read
David B. Cross
SVP SaaS Security
Text Size 100%:

This blog was written by contributing guest author Nancy Kramer, senior director in the Oracle Information Security organization, a key partner to SaaS Cloud Security.

Organizations seeking to manage supplier risk in cloud environments often find it beneficial to review the cloud provider’s third-party audits to security and privacy standards. These audits compare the conformance of a cloud provider's systems and operations to the set of requirements defined in a standard. Attestations, also known as audit reports or certifications, are the outcome of an audit to a standard, describing the level of conformance to the requirements.

Oracle recommends that customers seeking to evaluate Oracle Cloud Applications consider which standards and compliance frameworks are best aligned to their own security and privacy objectives. You can use Oracle Trust Center’s dashboard for Cloud Compliance to see a list of available attestations.

As many customers find System and Organization Controls (SOC) relevant to their needs, this post provides some context for the SOC compliance frameworks and answers frequently asked questions about Oracle’s attestations for these standards.

What are System and Organization Controls standards?

SOC standards are defined by the Association of International Certified Professional Accountants (AICPA) to evaluate system-level controls of a service organization or entity-level controls of other organizations. While several types of SOC assessments exist, the following examples are the most common:

  • SOC 1 assessments provide an auditor’s opinion about controls at a service organization that are likely to be relevant to the entity’s internal control over financial reporting. Some security controls are included in this assessment but only as they relate to the accuracy of financial statements.
  • SOC 2 assessments provide an auditor’s opinion about controls at the organization relevant to the trust services criteria: Security, availability, processing integrity, confidentiality, and privacy. The organization being evaluated selects which of these trust services criteria to include in an assessment, but typically, all criteria are included.

Assessments to SOC standards can result in two types of reports. Type 1 reports focus on the suitability of the design of an organization’s controls to achieve the control objectives. Type 2 reports include the full type 1 report contents, and an opinion on the operating effectiveness of the controls to achieve the objectives, along with a description of the auditor’s tests of the controls and their associated test results.

How do SOC reports help organizations manage supplier risk?

SOC 2 reports are intended to meet the needs of a broad range of organizations which seek detailed information and third-party assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used to provide the service. The assessment includes evaluating the confidentiality and privacy of the information processed by these systems.

When are new Fusion SOC reports available, and how do I get them?

Fusion SOC 1 assessments are quarterly, resulting in four SOC 1 reports each year. However, each SOC 1 assessment encompasses a rolling annual reporting period to cover the entire year, not just the previous quarter. Fusion SOC 2 reports currently follow an annual cycle from October to the following September. The attestations for these reports are generally available about two (months after the end of each reporting period.

Customers can directly download attestations for Fusion Cloud applications. Many of Oracle’s cloud applications run on OCI, so you might also want to download OCI attestations from the Oracle Cloud Console. Alternatively, contact Sales to request third-party compliance attestations for Oracle Fusion Cloud.

What are SOC bridge letters, and how are they useful?

SOC assessments evaluate evidence demonstrating how an organization’s controls have operated over a specified period. In other words, SOC assessors look backward and frame their observations of an organization’s conformance to the SOC’s requirements during a specific, already elapsed timeframe. As a result, after a SOC report is issued, some customers might perceive it to be outdated. So, monthly bridge letters are issued to cover the periods of time in between SOC report availability. These bridge letters serve to essentially state that the vendor believes they’re still meeting the controls observed in the most recent assessor’s report.

Is there guidance for interpreting SOC reports? 

The blog post, How to Read Cloud Service Attestations offers guidance for evaluating the adequacy, scope, and outcome of an audit, as represented in the cloud service’s attestation. You can also watch the webinar video, How to Evaluate Cloud Service Attestations for a set of tips and areas to review. 

Want to learn more?

Oracle recommends exploring the Trust Center, your one-stop shop for security, compliance, privacy, contracts, and cloud availability information. A tour video guides you through the sections of the site, including the following examples:

You can also get tips from the case study and checklist, How to Evaluate Cloud Providers, which was described in a previous webinar and blog series. The case study walks through each checklist step, offering helpful points to consider and Oracle resources to support your organization’s supplier management and procurement processes.



David B. Cross

SVP SaaS Security

David is the Senior Vice President for the Oracle SaaS Cloud Security engineering and operations organization.  Previously, David was the public Cloud Security Engineering Director in the Google Security and Privacy organization and his preceding 18 years were spent with Microsoft in numerous security cloud, product and engineering leadership roles.  David holds a B.S. in Computer Information Systems as well as an MBA with a Management Information Systems concentration and is a longtime advocate of security application and technology stemming back to his US military service.

Nancy Kramer

With over 20 years of experience in managing risk, security, privacy and compliance audits relating to complex business processes and IT systems, Nancy Kramer helps define corporate information security policies and manages compliance and obligation management programs which oversee Oracle’s on-premises and cloud offerings. Nancy also provides thought leadership via engagement with industry organization such as Payment Card Industry Security Standards Council (PCI SSC).

Previous Post

Deployment and management of Oracle Cloud VMware Solution with Terraform

Thomas Thyen | 4 min read

Next Post

Pioneering de novo antibody design with OCI, supporting Silica Corpora’s AI mission for unmatched precision and efficacy

Deepak Soni | 3 min read