Understanding how your organization’s financial, IT, and operational controls are safeguarding your data is critical to building trust and transparency. For service providers, you must provide assurance that these controls are operating effectively to a wide range of audiences: board members, stakeholders, customers, and potential clients. One of the most effective ways to demonstrate this is through a System and Organization Controls (SOC) report. However, there are a number of different SOC reports, and determining which one your organization needs for a specific purpose can be a challenge. In this post, we’ll look at a brief history of SOC reports as well as each kind of report to help you choose the one that fits your organization’s needs.
A Brief Background on SOC Reporting
In an effort to help organizations demonstrate the effectiveness of their control environments, the AICPA created the original standard, Statement on Auditing Standards No. 70 (SAS 70), in April 1992, which licensed CPAs would utilize to evaluate internal controls. Specifically, this type of examination reported on the effectiveness of internal controls over financial reporting (ICFR). Many organizations began using SAS 70 reports as a way to prove their environment was secure and that they were a smart vendor to work with, even though this was not the intended purpose. Eventually, in 2010, the SAS 70 was updated and replaced by the Statement on Standards for Attestation Engagements 16 (SSAE 16), which was renamed SOC 1 by the AICPA. The SSAE 16 has since been superseded by the SSAE 18.
The AICPA then introduced the SOC 2 examination report framework to meet the growing demands of service organizations for SOC reporting. Within this framework are the 5 Trust Services Criteria, which define specific criteria, or controls, that must be met to address the risks and opportunities of IT-enabled systems and privacy programs.
These principles are:
- Security: The system is protected against unauthorized access, use, or modification
- Availability: The system is available for operation and use
- Processing Integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed to meet the entity’s objectives
In 2017, the AICPA released the SOC for Cybersecurity framework, which helps organizations evaluate their cyber risk management programs. Today, these reports are widely used by service organizations across industries to demonstrate to their clients, prospects, boards, and investors that their financial, IT, and security controls are effectively protecting their business.
SOC 1 Report - Internal Controls Financial Reporting (ICFR)
A SOC 1 report is an examination of internal controls for service providers that handle client financial data. This type of examination is intended to aid service organizations in eliminating potential errors to client information and ensuring efficiency in their controls. More simply, a SOC 1 demonstrates to clients that their financial information is being handled in accordance with their expectations and with the SSAE 18. A few types of service organizations where a SOC 1 would be applicable include data service centers, payroll and medical claims processors, and lending services providers.
There are two types of SOC 1 reports:
SOC 1 Type 1 Report
A SOC 1 Type 1 report addresses the suitability of a service organization’s controls and implementation and how those controls are designed to achieve objectives at a specified point in time. This report provides an opinion on whether there are controls present and designed properly, but it does not test the effectiveness of them.
SOC 1 Type 2 Report
A SOC 1 Type 2 report addresses the suitability of a service organization’s controls and implementation and how those controls are designed to achieve objectives throughout a period of time. This report is more comprehensive, providing an opinion on whether the controls that are present over that specified time frame are operating effectively.
SOC 2 Report - Trust Services Criteria
SOC 2 reports are designed to provide detailed information and assurance attesting that the controls at a service organization are consistent with one or more of the 5 Trust Service Criteria established by the AICPA. A SOC 2 is intended for technology-based companies, or other service organizations that must not impact a user organization’s security, availability, processing, integrity, or confidentiality. This report is frequently required for technology-focused companies, and it is unique to each organization. Organizations that might be required to seek a SOC 2 would be data centers, software developers, managed service providers, and cloud-hosting providers.
The two types of SOC 2 reports are essentially the same as the SOC 1, but instead of using management's control objectives as a foundation, they attest to the Trust Services Criteria:
SOC 2 Type 1 Report
A SOC 2 Type 1 report tests the implementation and design of a service organization’s controls based on the Trust Services Criteria at a specified point in time, but not their operating effectiveness. An auditor will issue an opinion based on management’s description of the controls and review of the documentation around these controls.
SOC 2 Type 2 Report
A SOC 2 Type 2 report tests the implementation, design, and operating effectiveness of key internal controls based on the Trust Services Criteria over a period of time. An organization’s controls are described and evaluated for a minimum of six months, to determine if they are functioning as described by management. An opinion will then be issued based on the control’s operating effectiveness.
SOC 2+ HITRUST CSF Report
A SOC 2+ report is a SOC 2 examination that includes an additional subject matter review, typically around regulations like HITRUST, HIPAA, ISO 27001, and Cloud Security Alliance Cloud Control Matrix. The SOC 2+ HITRUST report is growing in popularity. In this report, a service auditor expresses an opinion on whether the controls that are designed are operating effectively to meet both the selected Trust Services Criteria and the HITRUST CSF requirements. This examination must be performed by a qualified CPA firm that is licensed by HITRUST; however, it does not include a HITRUST certification as a result.
A SOC 2 + HITRUST examination can result in many benefits, including:
- Streamlined audit processes and reduced burden on internal teams
- Cost and time savings
- Assurance over a period of time
- No maturity of controls assessment required
- Reduce inefficiencies by identifying the overlap in controls
SOC 3 Report - Trust Services Criteria for General Use
A SOC 3 report is similar to a SOC 2 in many ways, attesting to the adequacy of an organization’s information system as it relates to the Trust Service Criteria. But, while a SOC 3 report covers the same information and concerns of a SOC 2 report, it contains limited descriptions of the tests and their results. This abbreviated description allows the SOC 3 report to be broadly distributed and shared, serving as a useful marketing and sales tool, helping to solidify relationships with current clients and prospects. The report can be hosted on a company’s website or provided to prospective clients to help generate positive publicity surrounding an organization’s privacy standards.
If you're interested in learning how a SOC 1, 2, or 3 report can benefit your organization, Focal Point is here to help.
Want more risk management insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.