System and Organization Controls (SOC) Reports

System and Organization Controls – SOC for service organizations are audit reports on the internal controls at a service organization relevant to:

    • Financial reporting (ICFR), or
    • Security, availability, processing integrity, confidentiality, or privacy.

SOC reports provide user entities with the information they need about the service organization’s internal controls to help assess and address the risks associated with the outsourced service (e.g., cloud computing, transaction processing, IT outsourcing services, managed security, financial technology services, customer support, etc.).

AICPA

The American Institute of Certified Public Accountants (AICPA) is responsible for developing and maintaining the SOC framework. They provide guidance on the creation and reporting of SOC engagements. AICPA has defined different types of SOC reports, each tailored to specific purposes.

Visit the AICPA

Benefits of SOC Reports

Risk Assessment

SOC reports provide valuable information needed to assess and address the risks associated with outsourcing services, helping to build trust and transparency.

Compliance

SOC reports help user entities to demonstrate compliance with regulatory requirements (e.g., Sarbanes-Oxley Act, HIPAA, GDPR) that mandate data security and privacy.

Transparency

SOC reports offer transparency into a service organization’s processes and controls, allowing user entities to make informed decisions.

SOC Engagements

SOC 1® – SOC for Service Organizations

These reports are intended to provide management of the service organization, user entities, and the independent auditors of user entities’ financial statements with information about the internal controls at a service organization relevant to user entities’ internal control over financial reporting. 

Click Here

SOC 2® – SOC for Service Organizations

These reports are intended to meet the needs of a broad range of users who need detailed information and assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy of the information processed. 

Click Here

SOC 3® – SOC for Service Organizations

Like SOC 2, these reports address controls relevant to security, availability, processing integrity, confidentiality, and privacy. However, they do not provide the same level of detail. Therefore, they are considered general-use reports and can be freely distributed.

Click Here

SOC for Cybersecurity

These reports provide general users with useful information about an entity’s cybersecurity risk management program for making informed decisions.

Click Here

SOC for Supply Chain

These reports specified users with information about the controls within the entity’s system relevant to security, availability, processing integrity, confidentiality, or privacy to enable users to better understand and manage the risks arising from business relationships with their supplier and distribution networks.

Click Here

There are two types of reports for the SOC engagements:

Type 1

Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type 2

Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

SOC Reports Key Differences

SOC 1

Provide management of the service organization, user entities, and the independent auditors of user entities’ financial statements with information and a service auditor’s opinion about controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

SOC 2

Provide service organization management, user entities, business partners, and other specified parties with information and a service auditor’s opinion about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

SOC 3

To provide interested parties with a service auditor’s opinion about the effectiveness of controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

SOC 1

Auditors of the user entities’ financial statements, service organization management, user entities.

SOC 2

Service organization management and user entities, business partners, other parties specified within the report who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services, among other matters.

SOC 3

Interested parties

SOC 1

A SOC 1 examination is performed in accordance with AT-C section 320. A SOC 1 examination is an examination of controls at a service organization that are relevant to user entities’ internal control over financial reporting. The service auditor has the option of reporting on the system description and the design and implementation of controls (type 1) or the system description and the design, implementation, and operating effectiveness of controls (type 2).

SOC 2

A service auditor performs a SOC 2 examination in accordance with AT-C section 105, Concepts Common to All Attestation Engagements,6 and AT-C section 205, Assertion-Based Examination Engagements. Those standards establish performance and reporting requirements for the SOC 2 examination. According to those standards, an attestation examination is predicated on the concept that a party other than the practitioner (the responsible party) makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria.

SOC 3

Similar to a SOC 2 examination, the SOC 3 examination is performed in accordance with AT-C section 205. Unlike a SOC 2 report, which is limited to the use of specified parties, a SOC 3 report is usually appropriate for general users. Although a SOC 3 report does not include a complete
description of the system, it does include a description of the boundaries of the system examined.

SOC 1 & SOC 2

  • Management’s description of the service organization’s system.
  • A written assertion by the management of the service organization about the measurement of the subject matters against the criteria as of a specified date.
  • A service auditor’s report that expresses an opinion on whether the subject matters are in accordance with the criteria as of a specified date.
  • Management’s description of the service organization’s system.
  • A written assertion by the management of the service organization about the evaluation of the subject matters against the criteria throughout the specified period.
  • A service auditor’s report that:
    • expresses an opinion on whether the subject matters are in accordance with the criteria throughout the specified period and
    • includes a description of the service auditor’s tests of the controls and the results of those tests.

SOC 3

  • A written assertion by the management of the service organization about the evaluation of the subject matters against the criteria throughout the specified period. As part of that assertion, management describes the boundaries of the system and the service organization’s principal service commitments and system requirements.
  • A service auditor’s report that expresses an opinion on whether management’s assertion is fairly stated based on the criteria.

SOC 1

Yes, to intended users only.

SOC 2

Yes, to intended users only.

SOC 3

No

Source: AICPA & CIMS