What are Service Organization Controls (SOC) Reports?
Service Organization Controls (SOC) reports help companies establish trust and confidence in their service delivery processes and controls. The reports are administered by an independent third party that must be a certified public accountant (CPA). The process of choosing the correct report among the three can be confusing task. That’s why we’ve broken it down for you, to help with your decision process.
What is a SOC 1 report?
Your company might need an SOC 1 report if it outsources services that affect the internal control over financial reporting (ICOFR) of another company. This report would enable a user auditor to evaluate audit risk associated with the use of a service organization. Examples of these businesses are payroll processing, software as a service, data center, and network monitoring services.
An auditor of a company’s financial statements or management of the service organization would use this report. Typically, these reports are utilized by financial statement auditors in reporting on internal control to comply with Sarbnes-Oxley Act (SOX) obligations.
What is a SOC 2 report?
While the SOC 1 report focuses on a company’s internal control over financial reporting, the SOC 2 report focuses on non-financial controls, such as, security, availability, processing integrity, confidentiality, and privacy. This report focuses on the Trust Service Principles (TSPs) and serves to educate the user entity about processes that affect its security, availability, processing integrity, confidentiality or privacy of the data. Similar companies that may have a SOC 1 need a SOC 2 report as well, which include software as a service companies, data analytics companies and data center/colocation providers.
The users of this report would be anyone who:
- Knows about the nature of the service that’s provided by the service organization
- Knows how the service organization’s system interacts with user entities and other parties
- Knows internal control
Should I Choose a Type 1 or Type 2 report?
Both SOC 1 and SOC 2 reports can be performed as either Type 1 or Type 2 reports:
- Type 1 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date (e.g. as of 12/31/15).
- Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period (e.g. 1/1/15 – 12/31/15).
Type 2 reports will require additional efforts by both the service organization and the auditor, due to the fact that the testing of controls will be over a period of time as opposed to a point in time, as in a Type 1 report. Type 2 reports will require the auditor to conduct certain testing procedures, such as sample testing, which will provide an in-depth look at the control operation over a period of time and will require the service organization to produce documention to evidence operational effectiveness. Examples of testing might include completed security awareness training for a sample of employees hired during the review period or the termination checklists for a sample of employees terminated during the review period. It is common that service organizations who are new to the SOC examination process will choose to perform a either a readiness assessment (a gap assessment to prepare for a Type 1 or 2 report), a Type 1 report for the first year and in the subsequent years perform a Type 2 report. This will allow the service organization to work with the auditor to gain a familiarity with the audit process and prepare them for a successful Type 2 examination.
What is a SOC 3 report?
The SOC 3 report, like the SOC 2 report, focuses on the TSPs, but can be freely distributed because it only reports on whether the entity has met all the Trust Services criteria. No test results or opinions are included in the report. The SOC 3 report can be used or read by anyone. As of 2014, a company can no longer place a seal of completion on its website, this has caused the SOC 3 report to lose some popularity.
What are the TSPs?
TSPs are a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs. The following principles and related criteria are used by practitioners in the performance of SOC 2 engagements:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability and processing integrity are used to evaluate whether a system is reliable.
Which SOC report is right for me?
Choosing which SOC report is the best option for your organization can often be a difficult task. It is not uncommon that service organizations can benefit from multiple SOC reports, due to the fact that user entities could have an interest in both the internal controls over financial reporting from a SOC 1 as well as non-financial controls such as security, availability, processing integrity, confidentiality, and/or privacy from a SOC 2. It is important to understand your market as a service organization and listen to the concerns of both current and potential customers prior to dedicing which SOC report would be of the most benefit to your organization.
About DANNY MANIMBO
Danny Manimbo is a Director with Schellman & Company, LLC based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for the development and oversight of Schellman's SOC and ISO practice lines as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 10 years of experience in providing data security audit and compliance services.