System and Organization Controls (SOC) Reports Explained: Building Trust in the Services You Provide

Written by Angela Akerman, CISA on December 16, 2019

Warren Averett SOC reports image

System and Organization Controls (SOC) reports are quickly becoming a necessity for building trust and giving assurance to an organization’s customers and potential customers concerning the services provided.

The number of breaches and incidents resulting from vulnerabilities in an organization’s system or from the organization’s vendors is increasing, and many organizations are looking to protect themselves against costly cybercrime. As cybersecurity and internal controls are gaining more attention and emphasis in today’s business community, so are SOC reports.

Have a Warren Averett advisor reach out to you to start the conversation about what a SOC report might look like for your organization.

So, what is a SOC report?

A SOC report is the result and findings of a SOC examination and is designed to give assurance over the functioning of a service organization’s internal controls. The decision to have a SOC examination performed is usually driven by requests or demands for the reports from the service organization’s customers or potential customers.

Who can issue a SOC report?

SOC examinations are performed by independent Certified Public Accountants (service auditors) under the American Institute of Certified Public Accountants’ (AICPA) attestation standards.

What are internal controls?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) broadly defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Essentially, internal controls are the measures that your organization puts in place concerning its own internal operations to increase efficiencies, protect against liability and remain in compliance with regulations and laws.

Who needs a SOC report?

Companies should have a SOC report if they:

  • are considered to be a “service organization” (an organization that provides services to user entities);
  • are frequently asked by current or prospective customers to complete a detailed questionnaire about the security of the organization or about internal controls in place to address risks that threaten the achievement of contracted services or system commitments; or
  • are frequently asked by current or prospective customers to supply a SOC report.

When should businesses ideally have a SOC examination completed?

Since the overall process can be lengthy, we recommend a proactive approach so that companies can not only be well prepared for those requests, but also gain invaluable knowledge about how well their internal control processes are working and areas where improvement is crucial.

Are there different variations of SOC examinations?

Yes.

For service organizations, there are SOC 1®, SOC 2® and SOC 3® examinations. In addition to these examinations, the AICPA has also formulated a SOC for Cybersecurity.

The AICPA has branded the SOC Suite of Services and reporting options as follows:

 

SOC for Service Organizations
SOC 1 Examinations (Types 1 and 2)
  • Intended to report on controls at a service organization relevant to an entity’s internal control over financial reporting (ICFR)
  • Typically performed over services such as employee benefit or retirement plans, financial/custodial services, payroll processing, payment processing, loan servicing, etc.
  • Reports are restricted to management of the service organization, user entities and user auditors.
SOC 2 Examinations (Types 1 and 2)

 

  • Based on the TSP 100, 2017 Trust Services Criteria specified by the AICPA and intended to meet the needs of a broad range of users for understanding internal controls relevant to the five trust services categories: Security (Common Criteria), Availability, Processing Integrity, Confidentiality or Privacy
  • Typically performed for Data Center Co-locations, Software as a Service (SaaS) providers, Cloud Service Providers, Managed IT Services providers, etc.
  • Reports are restricted to user entities of the system, business partners, prospective user entities and business partners, and regulators who have an understanding of the service organization and its controls.
  • Additional subject matters and additional criteria can be addressed in SOC 2+ exams over other internal control frameworks (e.g., SOC 2+ HIPAA).
SOC 3 Examinations

 

  • Performed over the same trust service categories as the SOC 2 exam but the report is less detailed and does not include testing results
  • Designed for entities that process electronic consumer data using e-commerce, Software as a Service, and other electronic systems, etc.
  • General use reports that can be freely distributed to those who do not have sufficient knowledge to understand SOC 2 reports
SOC for Cybersecurity
  • Reporting on an organization’s cybersecurity risk management program and entity-wide controls
  • Testing of controls is performed but the results of testing are not included in the report.
  • General use reports

Since SOC 1 and SOC 2 reports are the most highly demanded by user entities, a more detailed overview of these two report options is warranted. Both of these reports have two types: Type 1 and Type 2 which are also outlined.

What is a SOC 1 report?

In SOC 1 reports, the service organization develops and authors the overall control objectives and related controls specific to achieving the control objectives. The service organization is also responsible for the description of the system (or narrative section) of the report.

SOC 1 reports are intended to report on controls at a service organization relevant to an entity’s internal control over financial reporting (ICFR), and they are typically performed over services such as employee benefit or retirement plans, financial/custodial services, payroll processing, payment processing, loan servicing, etc.

SOC 1 reports are restricted to management of the service organization, user entities and user auditors.

What is a SOC 2 Report?

In SOC 2 reports, the AICPA has specified the trust services criteria used to evaluate controls and provides points of focus that organizations can use to assist in determining applicable controls and control language.

The trust services criteria can be classified into five categories:

  • Security;
  • Availability;
  • Processing integrity;
  • Confidentiality; and
  • Privacy.

When electing to use SOC 2 examinations, the security category (also identified as the “common criteria”) must be utilized, and then additional categories can be chosen as applicable to the organization’s service commitments or system requirements.

The AICPA has also developed certain standards the service organization must use when preparing the description of the system for SOC 2 reports, which are outlined in the Description Criteria (DC) Section 200.

SOC 2 examinations are typically performed for Data Center Co-locations, Software as a Service (SaaS) providers, Cloud Service Providers, Managed IT Services providers, etc.

These reports are restricted to user entities of the system, business partners, prospective user entities and business partners, and regulators who have an understanding of the service organization and its controls.

What is the difference between a Type 1 and Type 2 SOC report?

A Type 1 report is as of a specified date and assures that the description of the system is fairly presented (SOC 1 report) or is in accordance with the description criteria (SOC 2 report), and that controls are suitably designed as of the specified date. A walkthrough of the controls and test of one is performed, but there is no detailed testing.

A Type 2 report is over a specified period, typically not less than six months. The opinion gives assurance over the description and suitability of design of controls, and also over the operating effectiveness of the controls. The Type 2 involves detailed testing of controls over the entire reporting period.

How are SOC Reports formulated?

The steps to performing a SOC examination vary, depending upon how prepared the organization is to meet the requirements. Typically, we recommend as a service auditor following the four-step process outlined below when conducting a SOC examination:

SOC Examination Step 1: Conduct an Engagement/Planning Meeting

The service auditor meets with the service organization to determine the scope of the system or services, the SOC option most applicable for the organization’s needs, and the timing, scheduling and fees of the engagement.

SOC Examination Step 2: Conduct a Readiness Assessment

Meetings are held to discuss policies, processes and procedures the organization has in place or whether they have to be developed or refined. Walk-throughs, observations and inquiries regarding processes and procedures are performed by the service auditor.

The organization is responsible for developing control objectives and related controls (SOC 1 report), or specific controls to meet the SOC 2 report criteria; however, the service auditor can share knowledge, give advice or recommend appropriate control language to assist the organization in this task.

Any gap areas identified by the service auditor are reported to the service organization so that processes and controls can be refined in order to give reasonable assurance that the organization is well prepared before the SOC examination is performed.

SOC Examination Step 3: Type 1 Examination and Reporting (SOC 1 or SOC 2)

Organizations can choose to have the Type 1 examination performed prior to moving to the Type 2 examination to help ensure that controls are suitably designed and implemented as of a specified date.

A formal report is still issued by the service auditor; however, since no detailed testing of the operating effectiveness of controls is performed, the controls are simply listed as part of the organization’s system description.  The service auditor’s opinion is stated in regard to the fairness of the presentation of the description (SOC 1) or according to the description criteria (SOC 2), and whether controls are suitably designed.

While not all organizations choose to have the Type 1 performed, it is definitely an option to consider in order to avoid multiple exceptions or deficiencies that might occur from moving to the Type 2 too quickly.

SOC Examination Step 4: Type 2 examination and reporting (SOC 1 or SOC 2)

When the organization elects to have the Type 2 examination performed, detailed testing will be completed by the service auditor over the entire reporting period as specified during the planning process.

In this report, the service auditor includes a description of tests performed, and the opinion will again cover the fairness of the presentation of the description (or description criteria), whether controls are suitably designed, and also if the controls operated effectively over the reporting period.

How can my organization get a SOC examination completed for a SOC report?

Warren Averett’s Risk, Security and Technology professionals work closely with service-providing organizations in order to gain a thorough understanding of their stakeholders’ requirements so that we can pinpoint the right solutions for their needs when it comes to SOC examinations and attestation services.

Have a Warren Averett advisor reach out to you to start the conversation about what a SOC report might look like for your organization.

New call-to-action

Back to Resources
Top