Selecting the appropriate System and Organization Controls (SOC) report requires knowledge of the types of reports available. The American Institute of Certified Public Accountants created three primary kinds of SOC reports, as well as some additional reporting options.
SOC for Service Organizations
SOC Readiness Assessment – Designed to assess preparedness for a SOC examination. Relevant for non-attest consulting engagements to identify gaps in controls and advise the service organization of necessary corrective actions in preparation for the SOC examination.
SOC 1 – SOC for Service Organizations: Internal Controls over Financial Reporting – Report on the controls at the service organization that impact user entities’ financial statements. Use restricted to organizations and their customers.
SOC 2 – SOC for Service Organizations: Trust Services Criteria – Report on the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Use restricted to organizations, their customers, and other specified parties.
SOC 2+ – SOC 2 report with additional subject matter or criteria included within the scope of the examination (e.g., PCI, HIPAA, HITRUST, ISO 27001). Use restricted to organizations, their customers, and other specified parties.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report – Scope is the same as for SOC 2, but the report does not contain a description of the auditor’s tests or results. General use report.
Specialized SOC reports also exist:
SOC for Service Organizations: SOC 2® HITRUST
SOC for Service Organizations: SOC 2® CSA STAR Attestation
SOC for Cybersecurity – General use report on the effectiveness of cybersecurity risk management programs.
SOC for Supply Chain – Report on an entity’s system and controls to enable users to better understand and manage the risks arising from business relationships with their supplier and distribution networks.
The following scenarios can help determine which report is appropriate for your organization.
Scenario: The report will be used by customers and their auditors to plan and perform an audit or integrated audit of the customers’ financial statements.
Relevant report: SOC 1 Report
Scenario: Customers will use the report as part of their compliance with the Sarbanes–Oxley Act, HIPAA, PCI, HITRUST, or similar law, regulation, or framework.
Relevant report: SOC 1 or 2 Report
Scenario: Customers or stakeholders will use the report to gain confidence and trust in a service organization or other organization systems.
Relevant report: SOC 2 or 3 Report, SOC for Cybersecurity, SOC for Supply Chain
Scenario: The report needs to be generally available.
Relevant report: SOC 3 Report, SOC for Cybersecurity, SOC for Supply Chain
Scenario: Customers need to understand the details of the processing and controls at the service organization and/or other organization, tests performed by the service auditor, and results of those tests.
Relevant report: SOC 1 and 2 Reports
Scenario: Customers do NOT need to understand the details of the processing and controls at the service organization and/or other organization, tests performed by the service auditor, or results of those tests.
Relevant report: SOC 3 Report, SOC for Cybersecurity, SOC for Supply Chain
SOC 1 and SOC 2 can either be Type 1 or Type 2 reports.
- Type 1 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives (SOC 1) or applicable trust services criteria (SOC 2) included in the description as of a specified date.
- Type 2 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives (SOC 1) or applicable trust services criteria (SOC 2) included in the description throughout the specified period.
In simple terms, a Type 1 report focuses on the existence of internal controls; Type 2 covers their performance over time.
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit, and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.