What are SOC Reports?
For human bodies, the spine serves as our backbone—our central support structure. But the spine is also scaffolding—it’s broken into different areas that have different specific names and functions. The lumbar spine carries the weight of the upper body and helps us bend, whereas the thoracic spine isn’t designed to move much and instead provides stability. You get the gist.
In some ways, SOC reporting is like a spine. Within the industry, it might be considered the backbone of compliance reporting, given that it was one of the first brands to truly emerge, and at Schellman, it has been our staple service. But SOC itself also is made up of different “vertebrae”—different examinations that can serve the different needs of organizations.
For those curious about investing in this kind of compliance, it’s important to understand which part of the SOC reporting spine will best support your needs. As providers of each type of SOC report since their inception, we are well-practiced in each and, in this article, we’ll outline all the distinctions between each reporting option so you, having read it, will understand which SOC report is the one for your organization.
What are SOC Reports?
Formerly known as Service Organization Controls (SOC) reports, what are now known as System and Organization Controls reports help companies establish trust and confidence in their services or products, including their delivery processes and controls.
To receive a report, you must undergo an assessment performed by an independent third party that must be a certified public accountant (CPA). Because of that outside validation, as a whole, SOC reporting can help you:
- Meet contractual obligations, customer requirements, and many market concerns
- Minimize the trust gap between you and your stakeholders
- Proactively manage risk
- Drive control maturity within your organization
But there are several different kinds of SOC reports, and the process of choosing the correct one can be confusing. To help with your decision-making, here’s a breakdown.
What is a SOC 1 Report?
If your company outsources services that affect the internal control over financial reporting (ICFR) of another company, you might need a SOC 1 report. This assessment evaluates how your services impact your customers’ financial reporting control environment—as such, completed reports are typically used by their financial statement auditors to support their Sarbanes-Oxley Act (SOX) obligations.
One big misconception to note—some may believe that ICFR is synonymous with financial reporting or the financial reporting process, but a SOC 1 audit is not a financial audit. Rather, it’s intended to provide information relevant to any of the things that could affect the controls of the financial reporting process.
SOC 1 matters for both financial transactions and the things that can impact financial transactions (e.g. physical access to systems, logical access to systems, changes to systems, etc.) So, do you provide payroll processing, software-as-a-service (SaaS), data center services, network monitoring services, actuarial or insurance processing services, or physical security services?
If you do, or your services have anything to do with another organization’s control environment that could impact their financial reporting, you may need a SOC 1 audit.
What is a SOC 2 Report?
The scope of a SOC 2 report is more operational and broadly related to security and governance matters. Not only does it describe how your services remain secure and how you protect the data entrusted to you, but it also notes how well your organization keeps its commitments to the same.
At the basis of SOC 2 are the five Trust Services Categories (TSCs), each of which contains criteria that your controls and service commitments would be evaluated against, should you choose to include certain categories. Here’s a brief overview
- Security: Is your system protected against unauthorized access (both physical and logical), use, or modification?
- Availability: Is your system available for operation and use as committed or agreed?
- Processing Integrity: Is your system processing complete, valid, accurate, timely, and authorized?
- Confidentiality: Is the information designated as confidential protected as committed or agreed?
- Privacy: Is the personal information collected, used, retained, disclosed, and destroyed in conformity with your privacy notice and with other generally accepted privacy criteria?
Those that seek a SOC 1 may need a SOC 2 report as well, which could include SaaS providers, data analytics companies, and data center/colocation providers, among others. SOC 2 is by far the most popular SOC report, no doubt due to its flexibility in evaluating information security controls and its benefits.
For a full walkthrough on how to shape your SOC 2 report, check out our comprehensive guide here.
What is a SOC 3 Report?
Like SOC 2, the SOC 3 report focuses on your achievement with the TSCs and your service commitments and system requirements. But in a key difference between the two, a SOC 3 can be freely distributed to whomever because it only reports on whether you have met all the in-scope Trust Services criteria and your principal service commitments and system requirements—no test results or opinions are included in the report.
Because the SOC 3 report can be used or read by anyone, it becomes an attractive add-on for some performing a SOC 2 audit, as the SOC 2 is restricted use.
What is a SOC for Cybersecurity Report?
The American Institute of CPAs (AICPA) introduced a new branch to the SOC brand in 2017 with SOC for Cybersecurity. This kind of SOC assessment can serve any organization concerned about the rise of cyberattacks and their defenses against them.
During this assessment, you describe your current cybersecurity risk management program as well as your security approach, and your auditor will assess the state of said program against your chosen set of baseline criteria, of which there are options you can choose from.
Given the increasing reliance of organizations on their digital supply chain, if you yourself don’t opt for a SOC for Cybersecurity report, you might consider requesting one from your vendors to confirm their cybersecurity meets established criteria.
What is a SOC for Supply Chain Report?
Speaking of supply chains, SOC has also actually expanded to account for these in general through its SOC for Supply Chain report. Should you request a SOC for Cybersecurity report from a vendor as suggested, the contents will focus exclusively on that—their cybersecurity.
But this Supply Chain report instead concentrates on the operational risks faced by those organizations that deal with physical or tangible products—the producers, manufacturers, and distributors who operate as part of a system.
Any vendor risk assessment program must include a healthy evaluation of the risks posed by your business partners, including those that have supplied hardware, encryption modules, network devices, and the myriad IoT devices that are part of your organization’s ecosystem. But many organizations may fall into a common blind spot, paying scant or no attention to those that provide the software that is purchased and distributed into their environment—have you asked your software providers for their SOC for Supply Chain report?
By meeting these tailored criteria—and having your vendors meet them as well—you and your customers can rest a bit easier regarding the risks within your production and distribution system.
Should You Choose a Type 1 or Type 2 Report?
Choosing which kind of SOC report is one step—another is choosing the report type, if relevant (and it is for all reports aside from SOC 3). It’s an important step, as there’s a big difference between the two:
- Type 1 – Reports on how well designed your policies, processes, and procedures are, as well as how they’ve been implemented. These are done as of a point in time and as such, require less effort than a Type 2.
- Type 2 – Report on the design and implementation of your controls, but also their operating effectiveness over a period of time.
- Your Type 2 audit will require things like sample testing to get an in-depth look at the control operation over a period of time, along with other documentation to evidence operational effectiveness.
- Examples of items tested might include completed security awareness training for a sample of employees hired during the review period or the termination checklists for a sample of employees terminated during the review period.
(Note: While Type 1 and Type 2 are the literal terminology for SOC 1 and SOC 2 reports, Cybersecurity and Supply Chain use different nomenclature, they also allow for a point-in-time assessment that is similar to a Type 1).
Organizations that are new to the SOC examination process commonly choose to perform either a readiness assessment—which is a gap assessment to prepare for a Type 1 or 2 report—or a Type 1 report for the first year before performing Type 2 audits in subsequent years.
How to Choose the Right SOC Report for You
With so many options that provide different kinds of support, choosing which SOC report to invest in can be difficult, and in fact, it’s not uncommon for organizations to undergo multiple SOC reports, depending on the nature of their work and their customer demands.
When making your decision, it’s important to understand your market and listen primarily to the concerns of both current and potential customers. If you have any pressing questions regarding the specifics of each examination, our team of subject matter experts would be happy to schedule a conversation to address any concerns you may have.
If you’d prefer to continue your research for the time being, please check out our other in-depth breakdowns of the different aspects of SOC audits and related factors:
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.