Demonstrate and Communicate the Effectiveness of Your Organization’s Controls Framework
There is no doubt that digital transformation has changed the way businesses operate. Services delivery is reliant on technology and the interconnectivity of systems and data. As such, it has become critical for users of these services to understand the controls implemented to safeguard their data and to ensure their financial statements are free of material misstatement.
What Is a SOC Report?
SOC Reports are examination engagements, conducted by a Certified Public Accountant, providing an opinion on a service organization’s ability to properly design, implement and operate controls to achieve their objectives (ex: security, or accuracy and completeness of financial information).
Who Needs a SOC Report and What Are Its Advantages?
Broadly speaking, organizations may be asked for a Service Organization Control (SOC)-1 or SOC-2 report if they are providing a system or service to customers (referred to as “user entities”). SOC Reporting is becoming a critical part of vendor due diligence programs across the globe, as regulatory requirements continue to mature (e.g., Sarbanes-Oxley) and as cyber breaches continue to make headlines.
In some situations, depending on the system or service provided, organizations may be asked for both SOC-1 and SOC-2 reports. There can be opportunities to leverage controls between both reports, depending on the environment and scope being examined.
Instead of spending hours, days or weeks responding to vendor diligence questionnaires, or complying with “right to audit” clauses in a service organization’s contracts, SOC reports allow a single provider to conduct procedures once. Because the auditor is independent, the resulting report can be relied upon broadly across the service organization’s client base.
What Are the Types of SOC Reports?
There are two primary types of SOC reports: SOC-1 and SOC-2. SOC-1 examines the organization’s system and/or services ability to achieve specified objectives (typically related to financial reporting), and by comparison, SOC-2 examines the organization’s ability to achieve its service commitments relative to security and other optional criteria prescribed by the American Institute of Certified Public Accountants (AICPA).
There are also two options for exam coverage: Type I and Type II. Type I reports provide coverage as of a point in time and covers the completeness and accuracy of the Organization’s System Description in accordance with the applicable description criteria, as well as the design and implementation of controls to achieve the organization’s objectives or service commitments. Conversely, Type II reports extend the auditor’s opinion to also cover the operating effectiveness of controls over a period of time.
SOC Report Type | System/Services Provided | Example Service Organizations | Criteria | Intended Audience |
SOC-1 | Financial Reporting Processing | Payroll Processors, Medical Billing | Broadly defined, customized by the service organization based on system/service provided | User Entities, Auditors of User Entities |
SOC-2 / SOC-3 | Software (SaaS) or Infrastructure (IaaS), Professional Services Organizations | Electronic Signature Platforms, Office Space Management Systems | Standardized, based on the set criteria: Security (1) Availability (2) Confidentiality (2) Processing Integrity (2) Privacy (2)(3) Other, SOC-2+ (4) |
User Entities, Auditors of User Entities Business Partners, Potential Clients |
- In SOC-2 examinations, the Common Criteria, which includes security elements, is the only required criteria.
- SOC-2 provides optional criteria, which can be added to the auditor’s examination for incremental levels of effort for these criteria.
- Updated implementation guidance and points of focus were released from the AICPA in the fall of 2022. Specifically for Privacy, there is enhanced focus on the distinction between data controllers and data processors.
- SOC-3 reports are intended for general distribution; they provide less detail reporting, but cover the same system/services and criteria elected for SOC-2, and are typically issued in conjunction with SOC-2 reports.
Exam Type | Coverage Period | System Description Completeness/Accuracy In Accordance with Applicable Criteria |
Design of Controls | Operating Effectiveness of Controls |
Type I | Point in Time | Yes | Yes | No |
Type II | Period of Time | Yes | Yes | Yes |
SOC-1 and SOC-2 Prescriptive Guidance
Both SOC-1 and SOC-2 reports are conducted under the AICPA standards for Attestation Engagements, and specifically, pertinent sections of SSAE-18 (which apply to all attestation engagements) and SSAE-21 for Direct Examination Engagements.
Further SOC-1 examination guidance is prescribed within SSAE-18 by section AT-C 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. The AT-C 320 provides specific guidance to the auditor, specifying the control expected to be covered in a system description, as well as guidance on how to plan, perform and report on SOC-1 examinations. The control objectives in a SOC-1 examination are determined by management, though AT-C 320 provides guidance on how the auditor should evaluate the control objectives identified.
In SOC-2 examinations, additional guidance on the completeness and accuracy of the system description is provided by AICPA DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (with Revised Implementation Guidance – 2022).
Additionally, management’s service commitments and system requirements in SOC-2 examinations are evaluated against the AICPA’s Trust Services Criteria for elected categories, as prescribed by AICPA TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022).
Updated Guidance on SOC Reporting
Most recently in October of 2022, the AICPA has released updated guidance focusing on a number of considerations affecting SOC-2 reports. These updates may have an impact on service organizations who have issued reports in prior years, regardless of the criteria elected.
For SOC-1, the AICPA’s guide from 2017 provides illustrative support in the planning and execution of examinations. Users of SOC-1 reports continue to enhance their understanding and expectations for coverage expected in a SOC-1 report.
How Can We Help?
Cherry Bekaert’s Risk Accounting and Advisory and Cybersecurity professionals have over three decades of SOC and information assurance experience across all industries and disciplines, and serve on AICPA and state-level boards and committees, overseeing the implementation of new standards. Whether you are preparing for a first-time SOC examination or completing your annual occurrence of the assessment, our specialized teams work closely with your organization to ensure all your needs are met. Reach out to your Cherry Bekaert advisor or a member of our Information Assurance & Cybersecurity practice.