Service Organization Control Reporting (SOC)
As the demand for your company’s services increase, so do the requests from your customers for assurance. Assurance, that you’ve taken the steps necessary to protect the privacy and confidentiality of their data as well as the security, availability and processing integrity of your systems. You are not alone. Looking to reduce infrastructure costs, many organizations are utilizing outsourcing and cloud computing solutions. Similarly, the demand for assurance of the integrity of these outsourced applications and functions has expanded as well.
As a service organization providing outsourced or cloud computing, you are an extension of your customers’ system of internal control and your customers rely upon you to protect them from the risk of fraud, unauthorized use of data, loss of data and violation of privacy.
The American Institute of Certified Public Accountants (AICPA) has provided the solution to demonstrate the reliability of your system of controls and to provide assurance to your customers by providing three Service Organization Control (SOC) reporting options, SOC 1, SOC 2 and SOC 3.
SOC 1 reports address controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.
A Service Organization Control, or SOC 1 report, is a formal audit of a service provider’s controls that affects their customer’s internal control over financial reporting. SOC 1 reports, often referred to by the AICPA attestation standards as SAS 70 and SSAE 16 (now SSAE 18), are specifically intended to meet the requirements of the entities that use service organizations and those entities’ financial statement auditors.
- Stronger focus on Risk Assessment
- Emphasis on Vendor Management Programs
- Monitoring subservice organizations
- Modifications to the written assertion requirements of management
There are two types of SOC 1 reports:
- Type 1 – This report shows customers and their auditors that your organization’s systems and controls are accurately described, that the controls are in place, and that those controls are designed to fulfill your financial control objectives as of a specified date.
- Type 2 – This report provides the same information as the Type 1 report, while also verifying that the controls properly operate, providing a description of the tests auditors performed to determine that information, and the results of those tests over a specified period.
Obtaining a third party SOC 1 attestation report adds significant value to your organization and also provides your customers with an increased level of confidence. It sets you apart from the competition by demonstrating your commitment to the security of your customer’s data and information.
SOC 2 and SOC 3 reports address controls at a service organization related to operations and compliance as identified in the AICPA’s Trust Service Principles.
A SOC 2 report provides service organizations with an opinion on controls that are related to a predefined set of principles. Unlike a SOC 1 report, where control objectives and controls are specified to the industry and unique processes within a company, a SOC 2 report utilizes a standardized set of industry neutral controls based on the AICPA’s Trust Services Principles — security, availability, processing integrity, confidentiality and privacy. A SOC 2 report must include the security principle (known as the common criteria), with inclusion of the remaining four principles being optional based on the company’s needs.
There are two types of SOC 2 reports:
- Type 1 – This report shows customers and their auditors that your organization’s systems and controls are accurately described, that the controls are appropriately designed and that those controls are in place as of a specified date, or point in time.
- Type 2 – This report demonstrates to customers and their auditors that your organization’s systems and controls are accurately described, that the controls are appropriately designed, and include a description of tests performed to verify that the controls are operating effectively throughout a specified period of time.
Which Trust Services Principles should I select?
When selecting the Trust Services Principles that are right for your SOC 2 report, first determine the scope of the engagement and the principles most applicable to your system. The following high-level definitions can help get you thinking about which principles apply to your organization:
- Security – The system is protected against unauthorized physical and logical access
- Availability – The system is accessible, as determined by contract of service level agreement
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized
- Confidentiality – Information designated as confidential is protected as agreed
- Privacy – Personal information is collected, used, retained, disclosed and destroyed with the commitments in the entity’s privacy notice and principles set forth by the AICPA
SOC 2 reports provide significant value in situations where customers and internal management must have confidence in the service organization’s system of controls to provide security, availability, processing integrity, confidentiality and privacy. In addition to addressing the internal needs, the SOC 2 report is valuable to your existing customers because it provides a CPA-signed report as assurance of your systems and processes.
The SOC 3 report is intended to be used as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report.
The SOC 3 report is intended to be used as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report, such as potential customers, investors, etc. Similar to a SOC 2 report the SOC 3 report provides an opinion on controls relevant to one or more of the Trust Service Principles (TSP). The SOC 3 report is unique in its lack of use restrictions and the use of a SOC 3 seal to be used on your website making it the perfect marketing tool for customers that must have confidence in the service organization’s system of controls to provide security, availability, processing integrity, confidentiality and privacy.