Introduction
System and Organization Controls (SOC) reports have become one of the most common methods for organizations to demonstrate their services and provide stakeholders assurance over their internal control environments. SOC reports can seem like a very daunting and complex endeavor for organizations to undergo. Often organizations are under pressure and tight timelines to obtain a SOC report from a customer, potential customer, investor, oversight body, etc., but they do not have personnel with SOC specific expertise or understand the benefits of obtaining one. Our goal with this article is to help inform you, generally, of the SOC report basics and the types of SOC reports an organization can obtain.
SOC Report in a Nutshell
A SOC report consists of a centralized description of an organization’s internal control environment that is examined and opined upon by an independent certified public accountant (CPA). Depending on the type of report, a CPA provides an opinion on the fairness of the presentation of the description, the suitability of the design of the controls included, and/or the operating effectiveness of the controls over a predetermined period. SOC reports are often referred to as SSAE 18 reports. This refers to the 18th publication of Statements on Standards for Attestation Engagements (SSAE 18) issued by the Association of International Certified Professional Accountants (AICPA) which includes governing standards for CPAs performing SOC examinations and other types of attestation engagements. However, this does not truly convey the type of report being referenced. The AICPA has established a suite of different types of SOC reports, each governed by SSAE 18, to address specific needs of varying types of organizations and their stakeholders.
Types of SOC reports
SOC 1 – SOC for Service Organizations: ICFR.
SOC 1 reports are obtained by service organizations who provide services likely relevant to their customers’ internal control over financial reporting (ICFR). Because of the relevance to customers’ ICFR, a service organization’s own internal controls may be required to be evaluated by their customer or their customers’ financial statement auditors. The use of SOC 1 reports is restricted to management of the service organization, its customers (users), and the financial statement auditors of its customers.
For more detailed information on SOC 1 reports please see our blog What is a SOC 1 and Do You Need One? or contact us here.
SOC 2 – SOC for Service Organizations: Trust Services Criteria.
SOC 2 reports are obtained by service organizations who want to demonstrate the security, availability, processing integrity, confidentiality, and/or privacy of their services. SOC 2 reports differ from SOC 1 reports in that there are preestablished sets of criteria, called Trust Services Criteria, which the service organization bases its internal controls upon, and the independent CPA evaluates the controls against. The control criteria are segregated into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security Category contains a base set of common criteria and is generally required to be included in any SOC 2 report. Each other category and its associated criteria are included at the discretion of the service organization and usually depend on the nature of the services offered. The use of a SOC 2 report is also restricted, however that restriction is typically applied broadly to management of the service organization and parties who have sufficient knowledge and understanding of the service organization and the content of the report. SOC 2 reports are one of the most common methods service organizations provide stakeholders assurance of their internal control environment.
For more detailed information on SOC 2 reports please see our blog What is a SOC 2 – Overview, Who Needs One, and How to Obtain a Report or contact us here.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report.
Similar to SOC 2 reports, a SOC 3 is intended to provide report users information and an independent CPA’s opinion regarding the security, availability, processing integrity, confidentiality, and/or privacy of the services offered. The difference exists in the intended users of the report. The SOC 3 report is unrestricted and can be used for general distribution. The content of the SOC 3 report is reduced to exclude detailed lists of controls and service auditor testing procedures to avoid an uninformed user of the report misinterpreting the information. SOC 3 reports are commonly displayed on websites and within marketing materials for organizations and can be provided freely to prospective customers. Often service organizations will obtain a SOC 3 along with their SOC 2 report.
SOC for Cybersecurity
In 2017 the AICPA established a cybersecurity risk management reporting framework to help organizations communicate relevant and useful information regarding the effectiveness of their cybersecurity risk management program, via a SOC for Cybersecurity report. The framework consists of description criteria for organizations to leverage while presenting information about their cybersecurity risk management programs and control criteria for organizations to use in the evaluation of the effectiveness of the cybersecurity risk management program. SOC for Cybersecurity examinations leverage the same control criteria as SOC 2 reports with respect to the Security, Availability, and Confidentiality categories but excludes Processing Integrity and Privacy categories. Similar to SOC 3 reports, a SOC for Cybersecurity report’s use is unrestricted and can be used for general distribution. The appearance of a SOC for Cybersecurity report is also similar to a SOC 3 in that it includes an assertion by management, the independent auditor’s report, and a description of the cybersecurity risk management program, however the report excludes a detailed list of controls and auditor testing procedures.
There are a few subtle but important differences between a SOC for Cybersecurity and a SOC 1/2/3. For instance, whereas the SOC 1/2/3 is obtained by service organizations, a SOC for Cybersecurity can be for any entity. Also, the scope of a SOC 1/2/3 is typically limited to a specified system (i.e. product), whereas the SOC for Cybersecurity can be an entity-wide assessment of the organization’s cybersecurity risk management program. Lastly, while the AICPA offers a framework for organizations to use when presenting the description of their cybersecurity risk management program and control criteria, organizations have the option to use a separate framework if they choose within a SOC for Cybersecurity report.
SOC for Supply Chain
The SOC for Supply Chain examination is the AICPA’s newest reporting framework designed to help manufacturers, producers, or distribution companies communicate information regarding their production, manufacturing, or distribution system and supply chain risk management program. The intent of the report is to provide greater transparency to allow report users to better understand and manage risks arising from business relationships with their supplier and distribution networks. A SOC for Supply Chain report is similar to a SOC 1 and SOC 2 in that it contains a detailed description of the system that is the focus of the report (presented in accordance with a framework established by the AICPA) and a list of the organization’s controls based on applicable control criteria. The SOC for Supply Chain uses the same control criteria as SOC 2. Those criteria include five basic categories included at the discretion of management: Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. Also, similar to SOC 2, the SOC for Supply Chain report is restricted in its use to management and parties specified who have sufficient knowledge and understanding of the system presented so as to not misinterpret the information within the report. This essentially just means the report cannot be broadly distributed such as posted on the company website.
The SOC for Supply Chain report can be a great way for manufacturing, production, or distribution companies to differentiate themselves in the marketplace with a targeted, flexible, and voluntary compliance assessment. It can also be a key consideration by any organization to evaluate the supply chain risks associated with a current or potential business partner or vendor.
Conclusion
SOC reports are valuable instruments organizations can leverage to broadly distribute information regarding their services and the internal control environment associated with those services. They are also reliable reports companies can request to evaluate the control environment of their vendors and business partners. It has become a common business requirement that organizations have the ability to demonstrate their internal control environment, typically via an independent compliance assessment. Compliance assessments are now frequently included within standard business contracts as a vendor requirement. SOC reports are one of the most accepted compliance assessments across a broad spectrum of industries. SOC reports often help organizations reduce the costs associated with completing time-consuming vendor questionnaires, customer audits, and fielding a constant flow of inquiries from current or potential customers because a SOC report provides a single document that can be easily distributed to satisfy most of these customer concerns and relieve the burden on personnel.
If you have decided you have need of a SOC report, the first step is to determine what type of report will provide your organization and your customers the most benefit. A competent CPA firm can guide you in determining the type of report that is right for you. If you need help in deciding what type of report is right for your organization or have any questions about the SOC examination process, we are happy to help! Please feel free to contact us and we will connect you with one of our industry experts.
Speak to an expert!
Written By:
Dale Crump
Dale Crump is the Founder and Managing Partner of Assurance Point, LLC. Dale oversees a variety of attestation and advisory engagements within the information security, privacy, risk management, and compliance sectors.
He has broad experience across an array of internal control and risk management frameworks and specializes in SOC reporting, having contributed to the issuance of over a thousand high-quality reports in his career.
Dale is a licensed CPA, and holds additional certifications including the CISSP, CISA, CIPP/US, CCSK, ISO 27001 Lead Auditor, and the Advanced SOC for Service Organizations credential. Dale is an active member of the AICPA, Georgia Society of CPAS, ISACA, and the IAPP, among others. In his spare time Dale is an avid outdoors enthusiast, Atlanta sports fan, and enjoys spending time with his two kids.