SOC Reporting Services

If your organization provides outsourced services to other businesses, chances are you’ll be requested to demonstrate that you maintain a sound environment of internal control over the transactional data you manage or systems you host on their behalf. The American Institute of Certified Public Accountants (AICPA) has created multiple reporting options to enable you to demonstrate transparency to your customers and prospects.

A System and Organization Control (SOC) audit is an examination performed by an independent public accounting firm. The primary objective of an SOC audit is to provide transparency related to a service organization’s internal control structure, and to provide assurance regarding the design and operating effectiveness of the controls that are in place.

A SOC audit is not a certification. There is no pass-fail rating that comes with an SOC audit; instead, the output is a published audit report that includes any control exceptions or failures.

Take our short SOC quiz now

Our SOC Reporting Services include:

SOC 1 Reports

An SOC 1 examination is focused on services that are relevant to customers’ internal controls over financial reporting (ICFR). This information can be crucial for your customers who have to comply with laws and regulations such as the Sarbanes-Oxley Act of 2002. Organizations that provide services that directly impact financial reporting, such as payroll processing, revenue reporting, debt collections or loan servicing, provide an SOC 1 report to their customers. Technology companies, such as accounting software providers or data centers who provide infrastructure for financially relevant systems, may also consider getting an SOC 1 report.

SOC 1, Type 1

A Type 1 report focuses on the design of controls as of a point-in-time. With this audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services as it pertains to their users, and that those controls have been implemented as of a specific date.

What to expect in your Type 1 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. Identification of controls that were designed and implemented as of the examination date

SOC 1, Type 2

A Type 2 report focuses on controls operating effectively over a period of time. As in a type 1 audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services, as it pertains to their users, and that those controls have been implemented as of a specific date. In addition, management needs to demonstrate that those controls were operating effectively throughout a period of time, typically between six and 12 months.

What to expect in your Type 2 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. A summary matrix that includes the service auditor’s test procedures for each key control activity, the results of those procedures, and any identified exceptions
SOC 2 Reports

An SOC 2 examination evaluates an organization’s information systems relevant to one or more Trust Services Categories. These reports are typically best suited for companies that provide services that are operational in nature. The security, availability, processing integrity, confidentiality and privacy categories are designed to work together to represent different aspects of system reliability. Criteria relevant to all five categories are called “common criteria,” and security encompasses all of them. The four remaining—availability, processing integrity, confidentiality and privacy—are individual criteria that must be evaluated in addition to the common criteria.

The baseline of any SOC 2 is the set of common criteria:

  • Control Environment
  • Communication and Information
  • Risk Assessment
  • Monitoring Activities
  • Control Activities
  • Logical and Physical Access Controls
  • System Operations
  • Change Management
  • Risk Mitigation

SOC 2, Type 1

A Type 1 report focuses on the design of controls as of a point-in-time. With this audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services as it pertains to their users, and that those controls have been implemented as of a specific date.

What to expect in your Type 1 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. Identification of controls that were designed and implemented as of the examination date

SOC 2, Type 2

A Type 2 report focuses on whether controls operated effectively over a period of time. Similar to a type 1 audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services, as it pertains to their users, and that those controls have been implemented as of a specific date. In addition, management must demonstrate that those controls were operating effectively throughout a period of time, typically between six and 12 months.

What to expect in your Type 2 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. A summary matrix that includes the service auditor’s test procedures for each key control activity, the results of those procedures, and any identified exceptions
SOC 3 Reports

An SOC 3 examination is intended for general public consumption and may be posted on your company’s website or other public channel. Common uses for SOC 3 reports include marketing and vendor due diligence. Similar to an SOC 2 audit, an SOC 3 audit evaluates an organization’s information systems relevant to one or more Trust Services Categories. These reports are typically best suited for companies that provide services that are operational in nature. The security, availability, processing integrity, confidentiality and privacy criteria are designed to work together to represent different aspects of system reliability. Criteria relevant to all five categories are called “common criteria,” and security encompasses all of them. The four remaining—availability, processing integrity, confidentiality and privacy—have individual criteria that must be evaluated in addition to the common criteria.

The baseline of any SOC 3 is the set of common criteria, which are organized as follows:

  • Control Environment
  • Communication and Information
  • Risk Assessment
  • Monitoring Activities
  • Control Activities
  • Logical and Physical Access Controls
  • System Operations
  • Change Management
  • Risk Mitigation

An SOC 3 examination must be performed over a period of time. An SOC 3 audit is often performed as an add-on service to an SOC 2, type 2 engagement. Unlike the other SOC options, an SOC 3 report is very brief and only contains high-level information that is appropriate for a broad audience.

What to expect in your SOC 3 audit report:

  1. An abbreviated service auditor’s opinion
  2. An abbreviated management’s assertion
  3. A summary of management’s description of their internal control processes
Since May 1, 2017, service auditors performing SOC 1 services have followed the Statement of Standards for Attestation Examinations No. 18 (SSAE 18), which supersedes the previous standard, SSAE 16.
Neha Patel

Neha Patel

Partner-in-Charge, IT Advisory Services

Contact
LinkedIn
Bio

Neha Patel, CPA, CISA, has 16 years of experience in public accounting and internal audits, with an emphasis on governance, risk…

Learn More