Businesses of all types and sizes are turning to “The Cloud” to deliver their application systems and data processing services to their customers. Cloud computing has gone mainstream over the past few years, with a massive 96 percent of businesses using it to some degree. The trend clearly is to move critical and core systems to the cloud to improve security, availability, confidentiality, and privacy of users’ data.
Considering that most service organizations manage, or at least have access to, a customer’s sensitive data, understanding the nature, extent, and effectiveness of controls that your service organization has in place yields governance is vital. This is where System and Organization Controls (SOC) reports come into the picture.
SOC reports provide a service organization’s customers assurance that the systems, processes and related controls described in the report are properly designed, implemented, and operating effectively. Customers read the reports and pay particular attention to those controls that are most relevant to them. For example, the security, confidentiality and/or privacy of a customer’s data.
Developed according to the standards set forth by the American Institute of Certified Public Accountants (AICPA), SOC reports provide a structured audit process that allows service organizations to easily and readily demonstrate the development, establishment, and implementation of effectively designed control objectives and activities to customers and stakeholders.
There are four unique SOC examination types:
- SOC1 for evaluating internal controls over financial reporting,
- SOC2 is for examining systems and controls related to Security, Availability, Confidentiality, Processing Integrity or Privacy,
- SOC3 is a public report suitable to describe the completion of a SOC2 Examination,
- SOC for Cybersecurity – examination of an entity’s information security program.
Today we are going to take a closer look at SOC1 and SOC2 to understand some of the key differences between them, offering what we hope, is a road map to successful SOC engagement.
1. Identify the systems, products and/or services to be covered by each SOC examination.
- SOC1 Examinations
SOC1 examinations relate to controls that are relevant to a customer’s internal controls over financial reporting or processing of financial transactions. The primary users of a SOC1 report might be the external auditor or financial management of the service organization’s customers.
- SOC2 Examinations
SOC2 examinations relate to processes and controls relevant to the security, availability, confidentiality, processing integrity or privacy of the systems that deliver products and services to customers. SOC2 reports are the most frequently requested reports by customers to meet the requirements of their vendor management programs. Likely users of a SOC2 report include Security, Risk, Systems Management of the service organization’s customers, prospective customers under certain circumstances, and/or regulatory authorities.
Both SOC1 and SOC2 examinations conclude with one of two different types of reports:
- SOC1 Type I — A Type I report audits controls in a system at a specific point in time or a single date. This report is most often used when issuing a service organization’s SOC report for the first time. The report can be issued as of a specific date when controls are determined to be properly designed and implemented.
- SOC1 Type II — A Type II report tests the effectiveness of controls that were in place and operating over a specified period of time. This is the type of report most often requested by customers of the service organization as part of their vendor management programs.
2. Identify the boundaries of the system to be included in the Scope of the SOC Report
There are certain boundaries of your system to be included in the Scope of the SOC Report. The system includes the products or solutions offered to your customers in the Scope of the SOC examination. In a SOC2 report systems are described in the context of the following system components:
3. Identify appropriate Control Objectives
This stop on the road map is slightly different for SOC1 and SOC2 Engagements:
- A SOC1 Engagement focuses on Controls stipulated by management, which are designed to meet the Control Objectives established by management. There are guidelines for establishing Control Objectives depending on industry or service types, but there is no specific requirement that determines what control objectives must be. As a result, oftentimes companies in similar industries may have dissimilar control objectives and related controls.
- A SOC2 Engagement is different from a SOC1 because the Control Objectives (called Criteria in SOC2 engagements) for each category selected are fixed and must all be addressed in the service auditor’s testing. Service Organization management selects the category, or categories, they wish to report on such as security, availability, confidentiality, processing integrity or privacy. This allows for more comparability and consistency between SOC reports for service organizations in similar businesses.
4. Identify documented Policies and Procedures that may be in place
Once you have identified Policies and Procedures, walk through and document processes related to the selected Control Objectives for SOC1 or the Criteria that are required for a SOC2 Engagement.
5. Describe the System
The System Description is what the auditor examines during in a SOC report. The Auditor’s opinion states the System Description has been prepared in accordance with the criteria established for system descriptions.
(Please see our companion piece “The Description Of The System In A SOC Report (Part 2)” focusing more intently on the description for a more in-depth discussion.)
6. Conduct a Readiness Assessment
A Readiness Assessment is a consulting engagement where the Service Auditor reviews your service organization’s processes and procedures in walkthroughs. The Service Auditor also assesses the Design and Implementation of the Controls to see if you are ready to subject them to a SOC examination. Once the Readiness Assessment is complete, and any identified deficiencies or other issues have been remediated, you are then ready for a SOC Engagement.
7. Conduct a SOC (1 or 2) Type I Examination
A SOC (1 or 2) Type I report is set to a specific date, typically soon after management has determined they are ready for an examination.
The Independent Auditor then expresses an opinion on the fairness of the System Description—as to whether or not it meets the descriptive criteria—and that the Controls identified have been properly designed and implemented.
8. Conduct a SOC (1or 2) Type II Examination
The SOC (1 or 2) Type II Examination covers a period of time, which is typically set at 12 months. Under certain circumstances, a Type 2 report can be issued for less than 12 months, but they are not typically issued for periods less than 6 months.
In a Type II Examination, the Auditor must express an opinion on the fairness of the description. He or she must also indicate that the Controls identified have been properly designed and implemented and that they are operating effectively throughout the period designated.
Do you feel prepared to start traveling on your road to a successful SOC Engagement?
We hope this article gives you a better idea of SOC reports and how they can help you better serve and assure your current customers and their stakeholders. Additionally, SOC reports let prospective customers know that they rely on your service organization to service their product or service needs, including protecting their confidential data.
We understand that the SOC suite of reporting can be complex, so we are here and happy to answer any additional questions you may have.
SOC Article – The Description Of The System In A SOC Report (Part 2)