Understanding SOC Reports and Their Impacts

Your organization performs services for others and is tasked with handling important data. You want your customers (users of your services) to rest assured that the controls related to those services are appropriately performed and that their data is protected and secure. A System and Organization Controls (SOC) report fulfills a number of needs for user organizations and provides users with assurance related to controls.

If your organization is currently performing services or maintaining hardware, software or data for others, understanding the importance and impact of SOC reports is crucial to your (and your customers’) success.

Overview of System and Organization Control Reports
The service organization provides services to its customers, or user entities. A SOC report is an independent examination of your organization’s internal controls that provides valuable information user organizations need to assess and address risk.

There are five main types of SOC reports:

• SOC 1 – Internal Controls over Financial Reporting (ICFR)
• SOC 2 – Trust Service Criteria
• SOC 3 – General Use Report regarding a Trust Services Criteria
• SOC for Cybersecurity
• SOC for Supply Chain

The Types of SOC Reports
While there are a few similarities in the reports, there are many differences that distinguish one from the other. Let’s take a look at each report.

• SOC 1 – A report on internal control over financial reporting at a service organization. This report enables the user entity’s auditor to perform risk assessment procedures during the planning of an audit and determine the nature and extent of procedures when performing an audit of the user entity’s financial statements.
• SOC 2 & 3– A report related to information systems and data security, availability, confidentiality, processing integrity, and/or privacy at a service organization.
• SOC for Cybersecurity – A report about the effectiveness of a service organization’s cybersecurity risk management program.
• SOC for Supply Chain – a report on the effectiveness of controls relevant to security, availability or processing integrity of a system, or the confidentiality or privacy of information processed by a system that produces, manufactures or distributes products.

Additional Distinguishing Characteristics
It is important to recognize that each of the SOC types have distinguishing differences beyond those listed above.

SOC 1
A SOC 1 report is specifically designed to provide management of the service organization, user entities and their independent auditors (user auditors) with information about the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

SOC 2
A SOC 2 is specifically designed to meet the needs of a broad range of users, including management of the service organization, user entities and other parties. It provides information about the internal controls at the service organization relevant to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (as established by TSP 100).

The service organization has the option to include additional subject matter related to the services it provides.

Additional subject matter examples are as follows:

• Cloud Security Alliance (CSA)
• HITRUST
• COBIT 5
• HIPAA
• ISO 27001
• NIST800-53 R4

The service organization provides appropriate supplemental information related to the additional subject matter, a description of the criteria used to measure and present the subject matter, and finally, if the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter.

SOC 3
A SOC 3 provides a service auditor’s opinion about the controls at the service organization relevant to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy to any interested parties.

The Difference Between SOC 2 and SOC 3
You may have noticed that SOC 2 and SOC 3 have similarities. However, it is important to highlight the main difference.

While a SOC 2 report and SOC 3 report contain similar information related to the service auditor’s tests of controls and results of those tests, a SOC 2 report contains more detailed information and its distribution is restricted to a specific user audience. The SOC 3 report, which is much shorter and less detailed, is intended for a general (public) audience.

Reasons for Wanting a SOC 2 or SOC 3 Report
Because the SOC 2 and SOC 3 reports are based on predefined criteria, user entities may ask for a SOC 2 or SOC 3 report to provide them with assurance that controls are in compliance with industry standards. In addition, some companies use service providers for activities not relevant to the audited financial statements. Because a SOC 1 report can only be used for processes related to internal control over financial reporting, user entities may request a SOC 2 or SOC 3 report for assurance that the predefined controls (TSP 100) are in place.

Type 1 and Type 2 SOC Reports
When it comes to SOC reports, it is also important to take notice of the difference between a Type 1 and Type 2 report.

• Type 1 – Report on management’s description of a service organization’s system and the suitability of the design of controls as of a point in time.
• Type 2 – Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specified period of time.

Description of System in a SOC 1 Report
Management of a service organization is responsible for preparing the description of the service organization’s system, including the completeness, accuracy and method of presentation of the description. The system description includes the procedures within both manual and automated systems by which services are provided. This includes procedures by which transactions are:

• Initiated
• Authorized
• Recorded
• Processed
• Corrected as necessary and transferred to reports
• Other information prepared for user entities

SOC for Cybersecurity
SOC for cybersecurity is a reporting framework to help organizations effectively communicate with key stakeholders on their cybersecurity risk management program and the effectiveness of controls within that program.

The report issued for SOC for cybersecurity is an examination engagement performed by independent CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters:

• The description of the entity’s cybersecurity risk management program
• The effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

A cybersecurity risk management examination report is for general use.

SOC for Supply Chain
A supply chain is a system of organizations, people, activities, information, and resources involved in moving a product from supplier to customer. Supply chain activities involve the transformation of natural resources, raw materials, and components into finished goods. Guidance for these SOC reports was issued in March of 2020.

Suppliers, customers and business partners may expect entity management to establish operational and compliance objectives about the design, operation and effectiveness of controls within the system and may request an attestation report from the entity. Such a report is the result of an attestation engagement in which a practitioner (CPA) examines and opines on

(a) whether the description of the entity’s system that produces, manufactures or distributes products (the description of the system or description) presents the system that was designed and implemented in accordance with the description criteria and

(b) whether the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective throughout the period, based on the applicable trust services criteria.

A SOC for Supply Chain report may be issued for general distribution to knowledgeable users or may be restricted to a specific subset of users.

When it’s Necessary to Have Multiple System and Organization Control Reports
Because the same criteria are used for SOC 2 and SOC 3 reports, a service provider may choose to do both. Service providers that need a SOC 1 (because their services are relied upon by their clients’ financial auditors), but still want to provide assurance they meet the predefined trust services criteria, may find it advantageous to align their SOC 1 controls with the predefined Trust Services criteria.

While the reports cannot be combined, certain testing performed in each engagement may provide evidence for the other engagements. This simplifies the compliance process for the service provider and allows the service provider to offer all three reports to its clients, in addition to using the SOC 3 for marketing purposes.

How to Begin a SOC Examination
Before committing to a comprehensive SOC examination, you’ll want to complete a readiness assessment. The purpose of a readiness assessment is to assist with the following:

• Determine the boundaries of the system to be included in the engagement
• Assistance with the preparation of the system description
• Assistance with the determination of the control objectives and the control activities (SOC 1)
• Assistance with the determination of the control activities related to the Trust Services Criteria (SOC 2 and SOC 3)
• Assistance with the description of the cybersecurity risk management framework (SOC for Cybersecurity)
• Determine if there are control weaknesses present
• Recommendations for remediation

Performing a readiness assessment prior to the SOC examination will give management an opportunity to remediate or implement controls to achieve the control activities.

Updated Standards for System and Organization Control Reports
SOC reports are subject to Statements on Standards for Attestation Engagements (SSAEs) as issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Such standards establish guidelines and requirements for the CPA in the performance of the applicable SOC examination engagement.

Previously, SOC reports had numerous names, including SAS 70 reports, SSAE 16 reports, SSAE 18 reports and Service Organization Control reports. Sometimes SOC reports have been referred to as ‘certifications.’ The terminology in this arena has changed, and the common title for SOC reports is now System and Organization Control (SOC) reports. Regulators and other entities may call them by any of their previous names in contracts and other documents. When encountering terms such as the above when entering into contracts, clarification should be obtained to determine the specific SOC report and any underlying criteria that may be required to meet your needs.

The Importance of SOC Reports
There are many characteristics and differences to be aware of when it comes to SOC Reports. From knowing the difference between SOC 1, SOC 2 and SOC 3, to understanding supply chain SOC requirements or making sure you have all of your information ready and how you can prepare your cybersecurity systems to mitigate risk, there is a lot of information that impacts your business.

While keeping it all straight can seem like a daunting task, it doesn’t need to be. With help from an experienced professional, you can ensure you have the support you need to proactively address challenges and opportunities while ensuring your customers’ data is secure.