System and Organization Controls (SOC) reports are an essential method for service organizations to build trust and confidence in software and service delivery processes and controls that protect information and systems against risks, including unauthorized access and damage to systems. The SOC report framework, previously referred to as Service Organization Controls, was developed by the American Institute of Certified Public Accounts (AICPA) to be managed by independent third party certified public accountants (CPAs).
System and Organizational Controls reporting offer a comprehensive, repeatable process that enables organizations to assess once and provide reports to many internal and external stakeholders. Even if SOC reports are not mandatory for your organization, you may want to consider developing reports to reduce the time and resources devoted to assessing risk, performing audits, preparing reports and completing questionnaires to secure business contracts and meet contractual obligations.
As organizations increasingly utilize cloud-based environments, they often are uncertain what security controls must be managed internally and what controls are managed by the software or cloud vendor. Clients may also be confused about the required audit processes and reports necessary to meet compliance requirements. Taking a proactive approach to providing SOC reports for clients establishes you as a leading partner in ensuring effective security controls are in place and compliance requirements are met for cloud providers. This puts your organization’s reputation ahead of other, less-knowledgeable potential partners.
Assess your SOC compliance
SOC Report Options
AICPA provides several System and Organizational Controls report options, each of which is designed to meet specific organization and client needs.
- SOC 1: SOC for Service Organizations: Internal Controls over Financial Report (ICFR)
- SOC 2: SOC for Service Organizations: Trust Services Criteria Report
- SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use Report
- SOC for Cybersecurity: Entity-Level Cybersecurity Risk Management Program Report
- SOC for Supply Chains: An internal-controls report on organizations producing, manufacturing or distributing goods (report is in development)
Detailed summaries of the SOC report options are provided below to support you in making the correct report choice between one or multiple report options to meet client needs across many industries and compliance frameworks. Read on to find out more about SOC report options.
SOC 1 Report
Your organization would choose a SOC 1 report if you outsource services that affect internal controls over the financial reporting of a client and may be necessary to meet compliance requirements. SOC 1 reports allow auditors to evaluate the risk associated with the use of a particular service organization and are often utilized to audit a user entity’s financial statements in compliance with the Sarbanes-Oxley Act (SOX). Types of service organizations that would use a SOC 1 report include:
- Data centers
- Payroll processors
- Loan service processors
- Software-as-a-service (SaaS) organizations that can impact client financials.
SOC 1 provides two types of reports. A SOC 1 Type 1 report provides a description of the operating effectiveness of a service organization’s controls as of a specific date and includes a review of the controls design.
A SOC 1 Type 2 report contains the same data on controls, and also reports on control operating effectiveness over a specified period of time. Type 2 reports require additional preparation effort, as controls testing is for a period of time versus a point in time for a Type 1 report. Testing examples include documentation of completed security awareness training for employees hired during the review period or a termination list for employees terminated during the review period.
Service organizations may choose to perform a readiness or gap assessment for a Type 1 report during a first-year examination to gain experience with the required audit process. In subsequent years the organization would use this experience to prepare for a successful Type 2 report examination.
SOC 2 Report
Your organization would choose a SOC 2 report if you are hosting or processing sensitive information for clients who provide information systems and services including data centers, IT managed services, and SaaS or cloud computing organizations. SOC 2 reports are intended for a broader range of users than SOC 1 reports. Use of SOC 2 reports, however, is generally restricted to specific parties including a client’s auditors, managers, regulators, business partners and stakeholders a manager or auditor identifies for report distribution. The SOC 2 report is not focused on a service organization’s impact on financial reporting. Instead, it reviews an information system on five criteria known as the Trust Services Criteria (TSCs):
- Security (also known as common criteria): The only TSC required for SOC 2. Demonstrates a service organization’s information and systems are protected against risks, including unauthorized access and disclosure of information, and damage to systems, that could impact the ability to provide services to clients.
- Availability: Demonstrates information and systems are available for operation and use at all times.
- Processing integrity: Demonstrates system processing is occurring in a complete, valid, accurate and timely manner.
- Confidentiality: Demonstrates that information classified as confidential is protected from compromise, from creation or collection to final disposition and removal from the service organization’s control.
- Privacy: Demonstrates that personal information in the organization’s possession is handled and protected appropriately.
Similar to SOC 1 reports, there are also two versions of the SOC 2 reports. Type 1 is a snapshot for a specific period of time, whereas Type 2 reviews controls over a period of time.
SOC 2+ Report
A SOC 2+ report option is provided by the AICPA that expands reporting beyond the trust services criteria to align with other subject matter or additional criteria relevant to the service organization’s services, including NIST, ISO 27001, COBIT5, GDPR or HITRUST.
In collaboration with the Cloud Security Alliance (CSA), AICPA has developed a third-party assessment program for cloud providers the CSA Security Trust and Assurance Registry (STAR) Attestation. The STAR Attestation provides a framework for assessments for cloud providers using the SOC 2 examination and report that includes the CSA Cloud Controls Matrix.
SOC 3 Report
SOC 3 reports are designed to be distributed to anyone who may have an interest in your organization’s business and system processes. These reports demonstrate to potential clients the capability of a service provider’s controls to manage risk. Similar to SOC 2 reports, SOC 3 reviews an information system based on the same five TSCs. SOC 3 reports, however, are generally easier to read with less detail and require a lesser general knowledge of audit processes.
SOC 3 reports are not required for compliance frameworks, however, they can provide important information to clients regarding the security your service organization provides for their critical systems and sensitive data. In addition, with SOC 3 intended for a wider audience, the report can be much easier for decision-makers without a financial or audit background to comprehend and can be used for marketing purposes as well.
Multiple SOC Reports
Your organization may have a range of clients across multiple industries with some clients requesting SOC 1 reports and others SOC 2 reports. Since both reports use the same five TSCs, a service organization may choose to prepare SOC 2 and SOC 3 reports to meet the needs of clients and users with various levels of financial and technical expertise. Reports cannot be combined; however, preparing all three report options allows for testing efficiencies where there are overlaps in controls included in the reports.
SOC for Cybersecurity
Cybersecurity is increasingly a critical priority for many organizations as a more daily business activity is conducted online, and cybercrime continues to grow with more sophisticated attacks. In response, AICPA developed a SOC for Cybersecurity framework that is appropriate for businesses, non-profits or any other type of organization. The SOC for Cybersecurity framework provides an independent, entity-wide assessment based on the five TSCs that provides investors, boards of directors, executives, business partners and other stakeholders trust and confidence in your organization’s Cybersecurity Risk Management Program (CRMP)
In a SOC for Cybersecurity examination, there are two complementary subjects evaluated: a description of the organization’s cybersecurity risk management program, and the effectiveness of controls within that program to achieve the organization’s cybersecurity objectives. This examination provides a cybersecurity risk management examination report that is intended for general use.
Getting Started
Your organization will want to consider performing a readiness or gap assessment to provide a foundation for a comprehensive SOC examination. An assessment will provide data and evidence for the following:
- Identify control weaknesses
- Recommend remediation for control weaknesses
- Determine boundaries for the examination(s)
- Develop a system description (SOC 1, SOC 2 and SOC 3)
- Determine control objectives and activities (SOC 1)
- Determine control objectives and activities based on TSCs (SOC 2 and SOC 3)
- Develop a description of a Cybersecurity Risk Management Framework (SOC for Cybersecurity)
- Consider options for additional subject matter and control categories for a SOC 2+ report
Closing Thoughts
As a service organization that provides third-party services, it is becoming increasingly critical to proving to clients a commitment to ensuring client information and systems are protected against risks, including unauthorized access and disclosure of information, and damage to systems. The AICPA’s SOC report framework provides an efficient, effective method to provide trust and confidence in the software and service delivery processes and controls in place to protect systems and sensitive information. Preparing System and Organizational Control reports is also an efficient method for providing both internal and external stakeholders with insight into SOC, regardless of their technical knowledge or level of compliance knowledge.
For more information on System and Organization Controls reports, you can visit the AICPA website
Give RSI Security a call or send us an email with any questions you may have and one of our qualified experts will provide the help and support you with SOC examinations and preparing reports that will meet all your client needs across various industries and compliance requirements. If your organization has just started exploring the world of SOC reports, RSI Security can get you started with a readiness or gap assessment as a foundation for determining your SOC report requirements.