SOC Reports

What is a SOC report?

SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls they have implemented ensure data security, and the protection of information within the business. Of course, the process to obtain the SOC report is not quite so simple, and a successful report attests to a strong control environment.

Purpose of SOC reports

In recent times, it has become a very common theme that organizations are not prepared to work with a business partner or vendor if they are not able to prove the security of their system and the prospective customer cannot validate that their information will be safeguarded. There has been a spike in requests for SOC reports as a result of this. Having completed and obtained a SOC report gives the ‘proof’ that you are an organization to work with, and so it has become an absolute no-brainer in the modern business, and data-driven world.

What are the different types of SOC reports?

We will consider 3 main reports, and 2 types of reports – SOC 1, SOC 2 and SOC 3, and Type I and Type II reports.

SOC 1

A SOC 1 report provides an overview and outcome of the attestation process surrounding the internal controls of an organization, pertaining to financial and business controls in particular. SOC 1 is based on the SSAE16 reporting standard, which is an auditing standard for service organizations and was developed by the AICPA (American Institute of Certified Public Accountants) Auditing Standards Board. SOC 1 is relevant for any organization or business that performs outsourced financial services. Essentially, if your business’s services impact a user entity’s financial reporting, SOC 1 is for you. This includes organizations that process and have business operations related to payroll, loan services, medical claims, and many others. A SOC 1 report and audit is performed by a CPA firm that specializes in auditing IT and business process controls.

SOC 2

A SOC 2 report is similar to SOC 1, but does not concern financial and business controls. SOC 2 focuses on the IT control environment and examines its related policies, processes, and controls. Depending on what is relevant to the organization, the SOC 2 report will be made up of the assessment of the related TSC. This is of course Security (common criteria), Availability, Confidentiality, Processing Integrity, and Privacy.

SOC 3

This is the less common SOC report. It is a public report (a public instance of the SOC 2 report), that is made public as it does not contain any confidential information. It is usually relevant to organizations that undergo many SOC audits, have many reports, and have a well-implemented and matured system.

Type I report

A Type I (Type One) report applies to both SOC 1 and SOC 2 as described above. It is also referred to as a point-in-time test (i.e. a single day). In the case of SOC 2, a Type I report assesses the design of the controls, as well as the implementation of these controls. When considering SOC 1, a Type I report also assesses the design of the controls (specifically how well the internal controls are designed to prevent financial misstatements).

Type II report

Similarly, a Type II (Type Two) report applies to both SOC 1 and SOC 2 as described above. It is also referred to as a test of operating effectiveness. A Type II report will cover a period of time (3 months, 6 months, and most commonly, 12 months). It is a report that provides more conclusive coverage over a control environment and organization’s processes, as it evaluates controls for a longer period of time. Think about it logically, there is a much higher probability that a system error or gap in control will be detected when assessing controls over a 12-month period versus 1 day (365x higher chance).

What is included in a SOC compliance report?

A SOC report consists of four (4) sections:

  1. The management assertion
  2. The independent auditor’s opinion.
  3. System description of the control environment
  4. A detailed list of controls and outcome of testing performed.

The management assertion

This section is prepared by the management of the organization undergoing the audit process. This section is an attestation that the controls that were examined and included as part of the audit are operating effectively (according to the management of the organization), and it is confirmation and agreement of the scope that was in focus, period of time covered, and the use of certain tools and providers.

The independent auditor’s opinion

This is completed by the audit firm performing the assessment and actual audit process. It attests to the responsibilities of the auditor, what was performed in the audit process in order to reach the outcome of the report provided, and the alignment of testing (which standards the testing was performed in accordance with).

System description of the control environment

This is the longest section in the report and is the full, detailed description of the control environment in place. It includes sections for each area of testing, relating to management controls, access controls, human resources, privileged access, specific sections related to the TSC scope items under review, vendors’ cloud providers, etc. It is the full description of the control environment and contains many confidential data elements that would be relevant only for restricted entities to view.

A detailed list of controls and outcome of testing performed

The fourth and final section of the SOC report translates the Section 3 description into testing performed and results obtained. Each control described in the third section is of course included as part of the auditor’s testing. Therefore, think of section 4 as the results of the whole audit process. It details the control, the description of it, the testing performed, results obtained, and if any deviations were noted.