The AICPA’s System & Organization Control (SOC) suite of attestation reports are a unique and valuable set of audit and reporting standards. They allow a company to provide its customers with an independent CPA’s opinion on a set of pre-established criteria, based on a control framework. They are also a challenging set of standards to understand if management is unfamiliar with them. Compounding the challenge is that SOC audits can perceived to be exclusively focused on Information Technology, so they are closely associated with PCI compliance, ISO 27001, FedRAMP, or other IT control frameworks. In practice, they can serve a much broader purpose than just IT controls.
The first time an entity receives a request for a SOC report, many questions arise. Which report is required? How long does a SOC engagement take? Is it a certification? Is it a one-time exercise or annual process? Here are some answers to frequently asked questions to help entities decide if the time is right to start the SOC audit process, and which type of report is best for your customers and stakeholders.
Why would a company need a SOC audit?
There are many reasons a company might decide to pursue a SOC audit. It may be required as part of a contracting agreement with a new customer. A downstream auditor may be requesting it as part of their financial or internal audit. Or, a Board of Directors or management may be interested in an independent assessment of the control environment.
How many different SOC reporting options are available?
Right now, the AICPA has released guidance on five different SOC reporting options, which include:
- SOC 1: SOC for Service Organizations: Internal Controls over Financial Reporting
- SOC 2: SOC for Service Organizations: Trust Services Criteria
- SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use Report
- SOC for Cybersecurity
- SOC for Supply Chain
It is worth noting that SOC reports are not a certification. They are an independent auditor’s opinion on the accuracy of a description and the design and/or effectiveness of set of controls.
What kind of SOC report do we need?
The easy answer to this question is—whatever your customers are requesting! Otherwise, it depends on the services your company performs on behalf of your customers. It may also depend on contractual or regulatory requirements.
If your company produces information that will be used in your customer’s financial statements, then a SOC 1 is the best choice. If your customers need to know how you protect their information or how you keep your systems available to them as agreed, then a SOC 2 may be more appropriate. If you want to demonstrate to the public or prospective customers that your company has completed a SOC engagement, then a SOC 3 may be most appropriate.
A company that is not a service organization but wants to demonstrate its commitment to cybersecurity to its customers or other stakeholders might choose a SOC for Cybersecurity report.
Finally, a company that is part of the mining, manufacturing or distribution supply chains may want to demonstrate that they have identified and addressed risks associated with the supply chain, and a SOC for Supply Chain engagement may be most valuable.
What are the similarities and differences between the various SOC reports?
SOC reporting standards have a reasonable level of consistency to provide measurability between reports. All SOC reports have a Management Assertion, a Description based on a specific Description Criteria, and a set of controls based on a Control Criteria.
All SOC reports also have an opinion or series of opinions about the accuracy of the description and the design of a set of controls. A type 2 report also includes an opinion on the operating effectiveness of controls over a period of time.
Most SOC reports also have two different reporting options—a Type 1 and Type 2. A Type 1 report only evaluates the design of controls, but a Type 2 report evaluates and opines on the design and operating effectiveness of a set of control over a period of time.
Notable differences exist in the various SOC reports. A SOC 1 does not use a preestablished control criteria, instead, opting for a set of Control Objectives that would be useful to a broad range of report users. SOC 2 typically uses the AICPA’s Trust Services Categories as its control criteria, but any widely available control framework is also considered a suitable control criteria.
Once we have completed a SOC audit, is that it?
SOC reports are used by entities and their auditors for multiple reasons. A control environment and the risks associated with the control environment can change. Because the dynamic nature of the risks around the content of SOC audits, most companies choose to complete a type 2 audit every year covering a 9- or 12-month period. Depending on the size and complexity of the company, preparation for your first SOC audit can take 3-9 months.
Who is responsible for the elements of a SOC report?
The first time you review a SOC report, you’ll notice it contains several sections. Management of the service organization is responsible for preparing the Assertion Letter, the description of the services it provides, the control objectives (in a SOC 1), and specifying the controls to support the control criteria. The service auditor is responsible for preparing the opinion letter and designing tests of controls to evaluate the design and effectiveness of the controls defined by management of the service organization.
These are only some of the most commonly asked questions when a company is exploring their SOC audit options. It will be important to work with your auditor who can help you understand other nuances about the report; for example, how to present subservice organizations (carve-out versus inclusive method), complementary user entity controls, complementary subservice organization controls, and selecting the best control criteria to suit your customers. Have more questions? Feel free to contact us.