In today’s connected and digital business world, more and more companies are relying on service providers to help achieve their business objectives. Because of this, SOC (System and Organization Control for Service Organizations) reports are gaining more importance. SOC reports are designed to help companies get a handle on the internal controls and cybersecurity of their service providers.
The Purpose of SOC Reports
SOC reports are produced by service organizations that provide services to other entities. The intent of a SOC report is to provide an understanding into the relevant controls in place related to the service provided. SOC reports are key inputs for developing trust as the functioning of the controls is tested by an independent CPA firm, similar to a financial statement audit. Each variant of SOC report is designed to help service organizations meet specific user needs.
Unfortunately, the fundamental concepts and naming of SOC reports are inherently confusing. This post will help you understand the basics of SOC reports and how they can be used in your business.
SOC 1 vs. SOC 2
There are two main categories of SOC reports:
SOC 1
A SOC 1 report is appropriate when a company has outsourced a key business process to an external service provider. This report focuses on internal controls around transaction processing at the service provider. The service organization producing the SOC 1 report can tailor the contents of its report to the key risks and controls that are important to its customers. The report is generally considered an ‘auditor to auditor’ communication, as the external auditor of the customer will need to understand the operating effectiveness of controls put in place by the service provider in order to complete its financial statement audit.
SOC 2
A SOC 2 report is perfect for when a business needs to understand the cybersecurity and technology controls in place at a service provider. This report always has cybersecurity at its core but also can include other control areas like privacy or availability. The SOC 2 report is intended for management of its customers to provide them with assurance regarding key cyber risks and controls. The content of SOC 2 reports is pre-defined by the American Institute of Certified Public Accountants (AICPA).
There are significant similarities between SOC 1 and SOC 2 reports. Generally, SOC 1 reports contain similar cyber controls as a SOC 2 report but also include other controls relevant to the outsourced business process. In some circumstances, a business might determine that a combination of both SOC 1 and SOC 2 are necessary to ensure the internal controls at their service provider are operating effectively.
Type I vs. Type II
As if that isn’t confusing enough, for both types of SOC reports, SOC 1 and SOC 2, there are two different ‘flavors’ of SOC reports:
Type I
A Type I report is not as desirable as a Type II report. A Type I report indicates the design of the controls is adequate, but the specific controls are not actually tested. A Type I report is issued as of a specific date.
In formal terms, a Type I reports on the “fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.”
Type II
Regardless of whether it’s a SOC 1 or a SOC 2 report, the Type II report is what you want to see. A Type II report not only indicates the design of the controls is adequate, but the specific controls are tested by the independent CPA firm to verify they are operating effectively. These controls are tested over a period of time, generally one year but could be shorter.
In formal terms, a Type II reports on the “fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.”
Why You Would Need a SOC Report
If you outsource a key business process to a third-party service provider, then you can use a SOC 1 report to ensure the internal controls at the service provider are actually in place and working.
If your business shares sensitive or private information with a service provider, a SOC 2 report can be obtained to verify the service provider has adequate cyber controls in place.
In both cases, SOC 1 and SOC 2, you want to verify the report is a Type II report, indicating the controls have been tested. If there are exceptions noted in the tests performed by the independent CPA firm, this could reveal a weakness in an internal control environment and a disconnect from your expectations of the service provider.
Deciding Between SOC 1 or SOC 2
Ultimately, whether you request a SOC 1 or SOC 2 report will depend on each entity’s specific situation. For example, if you are publicly traded and outsource a key business process to a third-party service provider, then Sarbanes-Oxley (SOX) already requires you to obtain a SOC 1. However, if you are a privately held startup which relies on outsourced technology infrastructure to conduct your business, then SOC 2 might be the better route for you to take, as a SOC 2 report will focus on security and availability to ensure that everything is secure and always up as you focus on growth and seek private investors.
If you outsource any key business process, you need to start thinking about obtaining a SOC report from your service provider.
How to Produce a SOC Report
If your company provides important business services to other businesses, or if you have access to sensitive information from your customers, you need to start preparing to produce a SOC report.
A great place to begin is with a SOC Readiness Assessment. As part of this process, a SOC specialist, generally a CPA firm, will begin by understanding your business and the requirements which are driving you to consider producing a SOC report. Then the SOC specialist will help facilitate a gap assessment to identify where your internal controls may not be sufficient to successfully produce a SOC report. The process may indicate where internal controls are needed but not in place, but can also identify areas where evidence of the control operating is insufficient or not being maintained. The SOC specialist can also help you mitigate risk by identifying opportunities to adopt leading practices or ways to improve controls by leveraging technologies such as workflow.
Once the gaps are identified, you can begin to build a plan to successfully produce a SOC report. It is critical to start the SOC Readiness Assessment effort as soon as possible so that your business has ample time to implement the new or upgraded controls. Organizational change is difficult and should not be rushed.
Anders can help companies identify SOC report needs and facilitate a SOC Readiness Assessment. If you have questions about if, why and what type of SOC report your business may need, contact an Anders advisor.