System and Organization Controls (SOC) reports are quickly becoming a necessity for building trust and for giving assurance to an organization’s customers (and prospective customers) about the services the organization provides.
The number of breaches and incidents resulting from vulnerabilities in an organization’s system or from the organization’s vendors is increasing, and many organizations are looking to protect themselves against costly cybercrime.
As cybersecurity and internal controls are gaining more attention and emphasis in today’s business community, so are SOC reports.
What is a SOC report?
Who can issue a SOC report?
SOC examinations are performed by independent Certified Public Accountants (service auditors) under the American Institute of Certified Public Accountants’ (AICPA) attestation standards.
What are internal controls?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) broadly defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”
Essentially, internal controls are the measures that your organization puts in place concerning its own internal operations to increase efficiencies, protect against liability and remain in compliance with regulations and laws.
How can my organization obtain SOC certification?
The term “SOC certification” is actually a misnomer resulting from a common misconception about SOC reports. Organizations frequently ask how they can become “SOC certified” or “SOC compliant,” but there is no certification and no pass or fail with SOC reports.
Once the SOC examination is completed, a reporting package is issued, which contains the Independent Service Auditor’s report, tests performed by the auditor and results of those tests, and the service organization’s assertion and description of the system (or narrative of the controls).
Within that Independent Service Auditor’s Report, the service auditor will issue an opinion. If the description of the system is fairly presented (SOC 1) or in accordance with the Description Criteria (SOC 2), controls are suitably designed, and controls are operating effectively (Type 2s), the service auditor will likely issue an “unmodified opinion,” which is usually the preferred outcome.
However, if there are significant issues found in testing or the description is misleading or missing relevant information, the service auditor could issue a qualified or even adverse opinion, depending on the pervasiveness of the issues.
Who needs a SOC report?
The decision to have a SOC examination performed is usually driven by requests or requirements for a SOC report from the service organization’s customers or prospective customers. So, most likely, you’ll know that you need a SOC report because your customers are asking you for one.
For many companies, requesting a SOC report from their vendors is usually part of good vendor management processes and typical of due diligence performed over an organization’s vendors in order to address risks associated with outsourcing services to that vendor.
It’s important to remember that while your customers or prospective customers can outsource services, they are still responsible for safeguarding their own information, and SOC reports are a method for them to build trust in your company and the services you provide to them.
Organizations should have a SOC report if they:
- are considered to be a “service organization” (an organization that provides services to user entities);
- are frequently asked by current or prospective customers to complete a detailed questionnaire about the security of the organization or about internal controls in place to address risks that threaten the achievement of contracted services or system commitments; or
- are frequently asked by current or prospective customers to supply a SOC report. (This could be the determining factor on keeping current customers or winning the business of a prospective customer.)
What is the typical timeline for having a SOC examination completed?
SOC examinations can be a lengthy process, sometimes taking several months or even a year to complete, depending on how prepared the organization is to meet the requirements.
For those organizations that already have robust policies, procedures and internal controls in place, the process can definitely be shorter.
If those things are not in place, we typically recommend that the organization go through a Readiness Assessment to determine readiness, to identify gaps or areas for improvement and to avoid jumping into a SOC exam too quickly. Doing so would hopefully avoid any significant exceptions or deficiencies in the SOC report when it’s completed.
Whether the organization chooses a proactive approach or has a SOC exam performed in response to requests for one, we ultimately hope they will also gain invaluable knowledge about how well their internal control processes are working and areas where improvement is crucial.
Are there different variations of SOC examinations?
For service organizations, there are SOC 1®, SOC 2® and SOC 3® examinations. In addition to these examinations, the AICPA has also formulated a SOC for Cybersecurity and a SOC for Supply Chain.
The AICPA has branded the SOC Suite of Services and reporting options as follows:
|SOC for Service Organizations|
|SOC 1 Examinations (Types 1 and 2)||
|SOC 2 Examinations (Types 1 and 2)
|SOC 3 Examinations
|SOC for Cybersecurity|
|SOC for Supply Chain|
Since SOC 1 and SOC 2 reports are the most highly demanded by user entities, a more detailed overview of these two report options is warranted.
Both of these reports have two types: Type 1 and Type 2, which are also outlined.
What is a SOC 1 report?
In SOC 1 reports, there is no specified criteria. The service organization develops and authors the overall control objectives and related controls specific to achieving the control objectives. The service organization is also responsible for the description of the system section of the report.
SOC 1 reports are intended to report on controls at a service organization relevant to an entity’s internal control over financial reporting (ICFR), and they are typically performed over services such as employee benefit or retirement plans, financial/custodial services, payroll processing, payment processing, loan servicing, etc.
SOC 1 reports are restricted to management of the service organization, user entities and their auditors.
What is a SOC 2 Report?
In SOC 2 reports, the AICPA has specified the trust services criteria used to evaluate controls and provides points of focus that organizations can use to assist in determining applicable controls and control language.
The trust services criteria can be classified into five categories:
- Processing integrity;
- Confidentiality; and
When electing to use SOC 2 examinations, the security category (also identified as the “common criteria”) must be utilized, and then additional categories can be chosen as applicable to the organization’s service commitments or system requirements.
For example, if the service organization outlines in its service level agreements that the system or software platform will be available to its users 24/7, 365 days a year and that business continuity and disaster recovery procedures are in place and tested at least annually, the Availability Category would be relevant for their report.
The AICPA has also developed certain standards the service organization must use when preparing the description of the system for SOC 2 reports, which are outlined in the Description Criteria (DC) Section 200.
SOC 2 examinations are typically performed for Data Center Co-locations, Software as a Service (SaaS) providers, Cloud Service providers, Managed IT Services providers, etc.
These reports are restricted to user entities of the system, business partners, prospective user entities and business partners, and regulators who have an understanding of the service organization and its controls.
What is the difference between a Type 1 and Type 2 SOC report?
A Type 1 report is as of a specified date and assures that the description of the system is fairly presented (SOC 1 report) or is in accordance with the description criteria (SOC 2 report), and that controls are suitably designed as of the specified date. A walk-through of the controls and test of one is performed, but there is no detailed testing.
A Type 2 report is over a specified period, typically not less than six months. The opinion gives assurance over the description and suitability of design of controls, and also over the operating effectiveness of the controls. The Type 2 exam involves detailed testing of controls over the entire reporting period.
How are SOC Reports formulated?
The steps to performing a SOC examination vary, depending upon how prepared the organization is to meet the requirements. Typically, we recommend as a service auditor following the four-step process outlined below when conducting a SOC examination:
SOC Examination Step 1: Conduct an Engagement/Planning Meeting
The service auditor meets with the service organization to determine the scope of the system or services, the SOC option most applicable for the organization’s needs, and the timing, scheduling and fees of the engagement.
SOC Examination Step 2: Conduct a Readiness Assessment
Meetings are held to discuss policies, processes and procedures the organization has in place or whether they have to be developed or refined. Walk-throughs, observations and inquiries regarding processes and procedures are performed by the service auditor.
The organization is responsible for developing control objectives and related controls (SOC 1 report), or specific controls to meet the SOC 2 report criteria; however, the service auditor can share knowledge, give advice or recommend appropriate control language to assist the organization in this task.
Any gap areas identified by the service auditor are reported to the service organization so that processes and controls can be refined in order to give reasonable assurance that the organization is well prepared before the SOC examination is performed.
SOC Examination Step 3: Type 1 Examination and Reporting (SOC 1 or SOC 2)
Organizations can choose to have the Type 1 examination performed prior to moving to the Type 2 examination to help ensure that controls are suitably designed and implemented as of a specified date.
A formal report is still issued by the service auditor; however, since no detailed testing of the operating effectiveness of controls is performed, the controls are simply listed as part of the organization’s system description. The service auditor’s opinion is stated in regard to the fairness of the presentation of the description (SOC 1) or according to the description criteria (SOC 2), and whether controls are suitably designed.
While not all organizations choose to have the Type 1 performed, it is definitely an option to consider in order to avoid multiple exceptions or deficiencies that might occur from moving to the Type 2 too quickly.
When the organization elects to have the Type 2 examination performed, detailed testing will be completed by the service auditor over the entire reporting period as specified during the planning process.
In this report, the service auditor includes a description of tests performed, and the opinion will again cover the fairness of the presentation of the description (or description criteria), whether controls are suitably designed, and also if the controls operated effectively over the reporting period.
How can my organization get a SOC examination completed for a SOC report?
Warren Averett’s Risk, Security and Technology professionals work closely with service-providing organizations in order to gain a thorough understanding of their stakeholders’ requirements so that we can pinpoint the right solutions for their needs when it comes to SOC examinations and attestation services.
This blog was originally published on December 16, 2019 and was most recently updated on November 3, 2020.