If your company is a service organization that provides a form of outsourced services to other business entities (user entities), you have likely heard of SOC reports. Many of you have also likely been asked to provide a copy of your SOC report as part of a proposal or other due diligence work.
Despite the increased prevalence of these reports, there are many still wondering what a SOC report is and whether they should undergo a SOC examination.
What is a SOC Report?
A SOC Report details relevant aspects of a system of internal controls related to outsourced services provided by a service organization. These reports are intended to provide user entities with the information needed to assess the risks associated with utilizing outsourced services. Included in the report is a description of the system of internal controls, which is prepared by the service organization itself.
An independent auditor then reviews the description and evaluates the design of controls in place, tests whether key controls were operating effectively (in Type 2 reports only, see below), and provides an opinion on the overall system of internal controls as they relate to the outsourced services covered by the scope of the report.
SOC 1 vs. SOC 2
There are two primary types of SOC reports available for service organizations, each of which is designed to meet different needs of their user entities:
Focuses on the service organization’s internal controls as they relate to financial reporting at the user entity.
Intended to meet the needs of a broad range of users that need to understand internal controls at a service organization as it relates to operational controls over security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
- Security - The system is protected against unauthorized access, both physical and logical.
- Availability - The system is available for operation and use as committed to or agreed upon.
- Processing Integrity - System processing is complete, accurate, timely, and authorized.
- Confidentiality - Information designated as confidential is protected as committed to or agreed upon.
- Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP).
SOC Report Types
Both SOC 1 and SOC 2 reports may be presented as either a Type 1 or Type 2 report.
This report is as of a point in time and only evaluates whether the system of controls was suitably designed.
This report also evaluates the suitability of design, but further evaluates whether the controls were operating effectively over a specified period of time. Type 2 reports are far more common and are generally what user entities are looking for.
Additional Reporting Framework
While the primary reports are SOC 1 and SOC 2, there are several less common reports as well.
- SOC 3 reports evaluate the same information as a SOC 2, but do not include much of the detail related to the controls and auditor testing that is presented in a SOC 2. These are general-use reports that may be freely distributed and are generally used as promotional material as opposed to detailed tools to assist user entities with an evaluation of controls at a service organization.
- Additional reporting frameworks include SOC for Cybersecurity, SOC for Supply Chain, and various SOC 2+ reports that incorporate an additional framework into the SOC 2 (HITRUST®, HIPAA, and COBIT to name a few).
Additional Benefits of a SOC Audit
While the primary aim of a SOC report is to provide valuable information to user entities related to the service organization’s system of controls, a properly executed SOC examination will also provide significant value to the service organization itself.
Throughout the course of preparing for and completing the examination, management will need to review and assess their design of internal controls. During the process, auditors can assist management in finding opportunities to improve both the effectiveness and efficiency of company policies and procedures as they relate to the system of internal controls.
Readiness Assessment
If it is determined that your organization would benefit from a SOC examination, it is highly recommended that you work with your auditor to perform a readiness assessment prior to the full SOC examination.
A readiness assessment will allow your auditors to review and evaluate your system of internal controls and provide feedback including recommendations for areas that need improvement without having to detail results in a report. This will give your organization the ability to address any deficiencies and increase the likelihood of a clean auditor’s opinion in your first SOC report.
Does Your Company Need a SOC Audit?
Despite the fact that SOC reports are a valuable tool for both service organizations and user entities, they are not appropriate for all organizations. Even if a customer or potential customer is requesting your organization’s SOC report, that does not necessarily mean that a SOC engagement is the appropriate course of action.
Your accountant is your best resource to assist in determining whether or not a SOC report is right for your organization.
© 2021 SVA Certified Public Accountants