Service Organization Control reports (SOC), in a nutshell, help companies with various aspects of their business. Essentially, these reports outsource different responsibilities within a business, like payroll, medical claims processing, document management and much, much more. Typically, they are aspects of a business that a company or “user entity” is not capable of doing as well as the service organization. It also allows the company or “user entity” to concentrate on other facets of their business. These reports come in various types based on the type of work the user entity does.
In this article, we’ll discuss the different types of reports in detail, as well as why you might choose one Service Organization Control report over another. To best understand how it works, it’s important to make sense of the system that came before SOC. Prior to the implementation of Service Organization Control, CPAs used a system called SAS 70.
That service was designed to help CPAs with outsourcing services related to the user entities’ financial statements. It worked for a while but with the increase in cloud computing, businesses are outsourcing application access, data storage and dozens of other computing functions to service organizations. For user entities, this is great! They save money while cutting time, risks and costs associated with doing their own computing.
Nevertheless, the rise in outsourcing didn’t eliminate the potential risk associated with sending sensitive documents elsewhere. The risk of those confidential documents leaking while in the hands of the service organization remained. If a security breach occurred within the service organization, the user entity was still the one who took much of the fallout from the breach. Therefore, user entities demanded more assurances from service organizations concerning the safeguarding of their information. That is when SAS 70 turned into the SOC framework.
Who Needs Service Organization Control Reports?
Now that we have defined where Service Organization Control reports came from, we can discuss who needs them. First, no one needs Service Organization Control reports, however, the vast majority of companies use them. The biggest reason why user entities use SOC reports is to save money and time.
By outsourcing SOC reports, user entities can focus on what they do best and leave the computing to service organizations whose entire function is just that. Service organizations help relieve operational costs, lower headcounts and improve the overall security and reporting for a company. No longer do user entities need to stress about a dozen different tertiary elements of their business. Simply learn about which SOC report is right for a particular situation, vet the service organization and presto, your company’s operational weight just got a lot lighter! The next natural question is then, which SOC report should I choose?
Which Service Organization Control Report Is Right For Me?
SOC reports come in three different types: SOC 1, SOC 2 and SOC 3. Choosing between the three comes down to the specific needs of your organization. Clearly, creativity isn’t a strength here. We will breakdown each report in detail, so you know exactly which is right for you.
SOC 1 Report
Service Organization Control Report 1 is aimed specifically for user entities who seek to outsource operations relevant to their internal control regarding financial reporting. Obviously, paying people is very important, especially if hundreds of people work for you. There’s also the little thing called taxes that are connected to financial reporting. Any small mistake can lead to an angry workforce or an unbalanced financial sheet. Companies using a SOC 1 require independent affirmation that their financials are in order. User entities that typically use SOC 1 reports are:
- Data Centers.
- Medical claims processors.
- Loan Servicing processors.
- Software-as-a-Service organizations who have an impact on the financials of their clients.
Now is a good time to mention that SOC 1 reports come in two types. This can be confusing since there is also a Service Organization Control 2, which also comes in two types. Amazingly, it’s not as complicated as it sounds.
Also Read : SOC 2 type 1 vs. type 2: What’s the difference?
Service Organization Control report 1 type 1: Sometimes called point-in-time reports, SOC 1 type 1 are time specific. These reports include a breakdown of your organization’s system and evaluations to discover whether or not the controls were designed properly. In simple terms, Service Organization Control report 1 type 1 examines the design of your controls but not its overall effectiveness.
Service Organization Control report 1 type 2: These reports cover a period of time, normally 12 months. Similar to SOC report 1 type 1, SOC report 1 type 2 includes a description of the company’s system but they don’t examine how the controls were designed. However, unlike SOC report 1 type 1, SOC report 1 type 2 test the operational effectiveness of internal control over a set length of time.
Need To Know Reports: Service Organization Control 1
Since SOC report 1s usually contain sensitive information relating to the financials of organizations, they should not be widely shared. In general, they should only be shared with management of the service organization, user entities, and financial auditors. Dissemination of these reports to any other individuals could compromise your sensitive financial information. No one wants to undergo auditing. However, if you are audited, these service organization report 1s are very helpful.
Service Organization Control 2: The Attestation Report
Before we help you decide which SOC report is best for your company, let’s talk about how SOC 2 reports are differentiated. SOC report 2 proves a service organization’s ability to protect itself from risk based on the specific services it provides. Therefore, SOC report 2 should be chosen carefully, based on the needs of your company and the specific services rendered by the service organization.
Here is where SOC 2 reports can be confusing because they don’t have biblical style criteria for user entities to understand. Instead, the American Institute of CPAs (AICPA) offers standards that the service organization chooses to establish that they are insulated from outside threats. The service organization chooses standards based on the type of service they provide.
Also Read: What are the SOC 2 Compliance requirements?
For user entities, this can be a little annoying. Everyone would prefer a one-size-fits-all approach. Unfortunately, SOC 2 reports don’t work that way. Instead, user entities must determine their needs and how to best fit the criteria established by the service organization.
This where having a smart auditor is worth their weight in gold. Their job is to understand the controls the user entity already has in place and help them fit within the service organization’s criteria. The best auditors will help you meet the requirements without drastically changing your controls or adding unnecessary costs.
Often, an auditor will find gaps and areas that need new controls to fit the requirements. Other times, simple changes and alterations will have your system up to standard in no time. It all just depends on the needs of your company and the current status of your controls.
A common misconception about SOC 2: many people refer to SOC 2 as a SOC 2 certification. There is no SOC 2 certification, only a SOC 2 attestation but often people confuse the two.
How Service Organization Control 2 Reports Work
SOC 2 reports, as we mentioned, are reports of attestation. What that means is the service organization management will assert that proper controls are in place to meet some or all of the five AICPAS’s SOC 2 Trust Services Criteria (TSC). We’ll discuss those in detail soon.
When a service organization delivers a SOC 2 report, it will have an opinion from a CPA firm either confirming the service organization’s assertion or providing a conflicting opinion. The opinion decides if the proper controls have been used to address the chosen TSCs and if the controls are designed or operating effectively. Similar to SOC 1, SOC 2 has two types. Type one determines if the controls were properly produced. Type two if they are operating effectively.
What Report Is Best For My Company?
This is likely the $100,000 question you’ve been waiting for. Which report is right for us? For that answer, you need to ask yourself two questions. Who are the stakeholders and clients asking for the report, and what type of services are you providing for clients? The answers to those questions will let you know whether or not your clients affect the Internal Controls over Financial Reporting (ICFR).
If your service organization control reports can affect your ICFR, then, in all likelihood, a SOC 1 report will best fit the needs of your company. However, if your SOC reports only impact the processing integrity, security, privacy, and confidentiality of user entities, then a SOC 2 will probably fit your organization’s needs best.
Example of a Service Organization Control 2 Report
A majority of companies outsource their IT needs to cloud hosting providers like Amazon or Google. Naturally, these companies want assurances and reports from their cloud hosting provider that their data and information is safe. However, whether it’s Amazon or another provider, they don’t have the time to individually reassure all their service entities that their service is safe.
Instead, Amazon, for example, will choose a CPA firm to carry out service organization control report 2 examinations. Once that is complete, Amazon will send a SOC 2 report to all of its user entities. That report is intended to allay the security fears of user entities and answer many of the common questions they might have.
What is the Trust Services Criteria?
Trust Services Criteria (TSCs) are five categories of security related to your Service Organization Control report 2. As a user entity, a company chooses from five categories those elements of security are most relevant to their work. Some people may ask why would anyone do less than all five. Wouldn’t you want the strongest report possible? The answer is quite simple; not all service entities need all five categories checked. Here are the five criteria explained:
- Security: The system is secure against unauthorized access both physical and digital.
- Availability: The system is accessible for use as agreed upon.
- Processing Integrity: The system processes information accurately, comprehensively, and only by authorized users.
- Confidentiality: The system secures data that is has been designated “confidential” by the user entity or stated within the agreement.
- Privacy: User information is accumulated, stored, shared, and destroyed in accordance with the user entities’ privacy notice. The service organization control also follows the Privacy Principles set forth by the AICPA.
Some people may ask, why wouldn’t I want all five criteria in my SOC 2 report? There’s a good chance your company doesn’t need all five. For example, if your company doesn’t process transactions, it doesn’t make much sense to include processing integrity in your report. Choosing the criteria that best fits your company will save you time and money.
Is there a Service Organization Control Report 3?
Yes, but thankfully for everyone, it’s very easy to explain. A service organization control report 3 is just like a SOC report 2, only it’s intended for a general audience. Unlike a SOC report 2, you can post a SOC report 3 on your website for public consumption. Sensitive information in a SOC report 3 is redacted, so the general public may glean information about your company without compromising your security.
With the increasing complexity of IT departments, Service Organization Control Reports are becoming more vital to businesses. The cost in both time and money of running the technical and informational details of your company is overwhelming. That’s why Service Organization Controls exist. They provide the services you can’t afford to be doing. Running a business is hard enough, without trying to put out processing fires and double-checking your numbers.
By choosing the right Service Organization Control, you can free up time to take other aspects of your company to the next level. Just be sure you choose the right Service Organization Control and the right report for your business. In today’s world, security is at a premium and you want a Service Organization Control that will take your data as seriously as you take your businesses. Check out RSI Security for more information on Service Organization Control Reports and how they can help you.