The System and Organization Controls (SOC) reporting options are valuable tools for organizations. Reporting options include SOC for service organizations comprised of SOC 1, SOC 2 and SOC 3 services described below, and SOC for Cybersecurity.
SOC for Service Organizations
System and Organization Controls (SOC) reporting options include valuable tools for service organizations. Reporting options include the SOC 1, SOC 2 and SOC 3 described below.
SOC 1 reports
SOC 1 reporting engagements provide user organizations with a strong sense of comfort about the outsourced services performed by service organizations on their behalf which are relevant to their financial reporting.
- Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting.
- Scope: Controls related to the accuracy of financial data and information technology general controls.
- Audience: User organization's financial executives, compliance officers and financial statement auditors
SOC 2 and 3 reports
Established to address other types of third-party risks outside of financial reporting, SOC 2 and 3 reports provide user organizations with assurance over the critical systems and sensitive data used to provide the outsourced services. While the two options have similar scope, a SOC 3 has less detail and, therefore, typically provides less value to report users.
SOC 2 reports
- Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
- Scope: Governance, operational and information technology general controls that address one or more of the TSC categories: security, confidentiality, availability, processing integrity and privacy
- Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners
- Additional Criteria: SOC 2 reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others.
SOC 3 reports
- Purpose: Same purpose as SOC 2 report
- Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
- Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization
SOC for Cybersecurity (new)
SOC for Cybersecurity is a new risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.
SOC for Vendor Supply Chains (under development by the AICPA)
The AICPA is developing a SOC framework to provide guidelines for vendor supply chain management programs.
**Please note: SOC (system and organization controls) was previously referred to as service organization controls. The definition was updated in April 2017 by the AICPA with the introduction of SOC for Cybersecurity.**
Type 1 vs. Type 2 Reports
Do not confuse SOC 1 and SOC 2 with Type 1 and Type 2. Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key difference is:
- Type 1 addresses the design of controls as of a point in time.
- Type 2 addresses the operating effectiveness of controls over a period of time
Type 1 reports provide less comfort to the intended audience of the report and are uncommon. If the type of report is not explicitly stated, it is safe to assume it is most likely a Type 2.
Performing a SOC examination
If you’ve never had a SOC examination performed, you’re probably wondering what it entails. The first thing we need to do is determine which report is most applicable to your environment and the needs of your organization and your clients.
After we agree upon the type and scope of the examination, we typically perform a readiness assessment before your first SOC examination. The readiness assessment is a one-time review to identify your control activities satisfying each of the objectives or criteria. We will also determine potential test procedures and identify the types of evidence available to satisfy those test procedures. We are typically onsite for one to two weeks at smaller to medium sized organizations. The deliverable provides recommendations on potential gaps in control activities and/or documentation.
After we perform the readiness assessment, we allow you time to remediate control or documentation deficiencies before we begin our examination period.
About halfway through the examination period, and several weeks prior to the interim fieldwork, we will send out a document request list to assist you in gathering the necessary evidence prior to our visit. This will also help us select samples for testing.
When we arrive onsite we will conduct our walkthroughs, observational testing, and inspect the documentation you have provided for us. Interim fieldwork typically requires about one to two weeks onsite for small to medium sized organizations.
Towards the end of the examination period, we will perform final fieldwork where we will select additional samples and complete any remaining test procedures. After final fieldwork, we will subject the final report to our internal quality control procedures and we are able to issue the report approximately four to eight weeks after the completion of our test procedures.