System and Organization Control (SOC) reports were created to decrease the audit burden on service providers by establishing a standardized report that can be issued to end users. A SOC examination from a reputable firm can serve as a market differentiator for companies seeking to appeal to a broad range of high value customers. SOC reports are useful for companies that provide software or services that could impact the financial reporting or business operations of their customers or who obtain sensitive information on behalf of their customers.
SOC examination report types include:
- SOC 1, Type I and II
- SOC 2, Type I and II
- SOC for Cybersecurity, Type I and II
- SOC for Supply Chain
- SOC 3
SOC Readiness Assessments
A SOC report filled with control failures can do more harm than good. In order to prepare for the issuance of your first SOC examination, we strongly recommend undergoing a SOC Readiness Assessment. SOC Readiness Assessments provide an avenue to compare your company’s current policies, procedures, and controls against SOC 1 or SOC 2 requirements and implement internal controls specifically designed to meet SOC requirements without being overly burdensome or time consuming. Assessments are based on the guidance from the AICPA and are tailored to each individual client based on industry, company size, and IT architecture.
Our SOC Readiness Assessments follow a streamlined five step process:
- Interview management to gain an understanding of the company and identify applicable SOC 1 objectives or SOC 2 categories and criteria
- Evaluate the internal control environment through inquiries and observation of control activities
- Develop and document a customized list of controls or update existing controls
- Identify control gaps and deficiencies and create specific remediation plans
- Communicate control gaps and deficiencies with prioritized recommendations and next steps
SOC 1 Reports
SOC 1 reports, also known as SSAE 18 reports, are designed for companies that provide software or services that impact their customers’ financial statements or internal controls over financial reporting. They are specifically intended to meet the audit requirements of the CPAs that audit the financial statements of the user entities of your service organization. The control objectives for a SOC 1 report are defined by the company based on the specific services provided to their customers. Control objectives include a combination of IT controls, such as logical access, change management, and backup and recovery, as well as relevant business process controls, such as reconciliations, reporting, and transaction authorization.
The following types of companies can benefit from a SOC 1 examination, especially if their customers are public or in highly regulated industries:
- FinTech Companies
- SaaS Companies that impact Financial Reporting
- Payroll Processors
- Loan Servicing Organizations
- Accounting Software Providers
- Claims Processors
- Data Centers
- Hosting Providers
SOC 2 Reports
SOC 2 reports are relevant to vendors and software companies that are relied upon for the operational needs of their customers or for protecting sensitive customer data. SOC 2 reports are more technical in nature and focus on one or more trust service categories defined by the American Institute of Public Accountants (AICPA) – security, availability, processing integrity, confidentiality, and privacy. All SOC 2 examinations include security. Availability, processing integrity, confidentiality, and privacy are separate and can be added based on the specific software or services provided and the expectations of your customers.
The following types of companies can benefit from a SOC 2 examination, especially if their customers are public or in highly regulated industries:
- Software Companies that impact Business Operations:
- Workflow Management
- Ticketing Systems
- Asset or Inventory Management
- Software Companies that Collect Sensitive Information:
- FinTech Companies
- HealthTech Companies
- Payroll Processors
- Security Operations Centers
- Data Centers
- Hosting Providers
SOC 3 Reports
SOC 3 reports are considered ‘add-on’ reports that can be issued in conjunction with a SOC 2 report to more broadly communicate a company’s commitment to security. Similar to a SOC 2 report, SOC 3 reports focus on policies, procedures, and controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 3 reports are shorter and more high level than SOC 2 reports and are considered general use. Often used as a marketing tool, SOC 3 reports can be distributed freely and published on a company website. Since the SOC 3 report leverages testing and documentation from the SOC 2, the cost to receive a SOC 3 report is significantly lower than other SOC reports but is performed in addition to a SOC 2 examination.
SOC for Cybersecurity
SOC for Cybersecurity examinations are appropriate for any organization with cybersecurity risks, including both businesses and not-for-profits. SOC for Cybersecurity is an entity-wide assessment of your organization’s cybersecurity risk management program. Similar to SOC 3 reports, SOC for Cybersecurity reports are general use and can be broadly communicated and published on a company website. Organizations leverage SOC for Cybersecurity reports to communicate the effectiveness of their cybersecurity risk management program, building trust and confidence in their market.
SOC for Supply Chain
SOC for Supply Chain examinations are appropriate for producers, manufacturers, commercial software developers, suppliers, and distributers where a secure and efficient supply chain is critical to company operations. SOC for Supply Chain leverages the SOC 2 trust service categories with a focus on conformity with relevant regulations and commitments relating to product labeling, consistency, quality, performance, availability, and delivery. Companies share their SOC for Supply Chain reports with existing business customers and partners, as well as prospective business customers and partners to communicate the effectiveness of their supply chain, building trust and confidence in their market.
Type I & Type II Reports
SOC 1, SOC 2, and SOC for Cybersecurity reports are either Type I reports or Type II reports. Type I reports are limited to tests of design (commonly known as a ‘tests of one’) as of a specified date and are typically performed as the first examination in a recurring engagement, primarily when reports are needed quickly to meet an immediate customer need or request. Type II reports include both tests of design and tests of operating effectiveness over a period of time, generally ranging from six months to one year.
Issuing a Type I report first is not required but is often advisable as it allows companies to issue SOC reports to their customers or prospects faster and serves as an effective ‘trial run’ prior to completing a Type II engagement. The majority of ML&R SOC clients obtain SOC compliance through the following services:
- SOC Readiness Assessment
- Type I Report
- Type II Report six or twelve months later
- Type II Reports annually thereafter
Now What? Next Steps
The biggest mistake we see companies make is waiting until a customer or prospect requests a SOC report before engaging with a SOC auditor. Companies can lose deals or even existing customers if they can’t issue a SOC report in time to meet the customer or prospect’s expectations and needs – we’ve seen it happen. When in doubt, call an expert. Our IT Security & Compliance Team is available to answer your questions and help you decide what report is right for you. We’ll help you identify a timeline that makes sense for your budget and your team.