Options and Types in System and Organization Controls (SOC)

The aim of this blog post is to clear up some of the confusion surrounding various SOC (System and Organisation Controls) reports. These assessments are a set of auditing standards developed by the American Institute of Certified Public Accountants – AICPA. The objective is the evaluation and reporting of controls in organisations. The reports are divided into three main levels. Each has its own objectives and focus. Ultimately, they serve different purposes:

• SOC 1 ® – In summary, SOC 1 reports focus on financial reporting controls. The reports evaluate the effectiveness of controls relevant to the processing of financial transactions, such as payroll, billing, accounts receivable, accounts payable and financial statement preparation. They can be Type I or Type II, which I will describe later.
• SOC 2 ® – Reports focus on controls related to security, availability, processing integrity, confidentiality and privacy. It can also be Type I or Type II, which I will describe later.
• SOC 3 ® – reports are general purpose reports that provide a summary of the SOC 2 report. Think of something you can put on your website as a badge, but not go into depth. SOC 3 reports are designed for public use and do not provide as much detail as SOC 2 reports.

SOC reports are not pass/fail. You will receive a report even if the auditor finds many problems. Anything the auditor finds will be disclosed in the report..

SOC 1

SOC 1 reports focus on controls relevant to financial reporting. These reports are designed to assess and report on controls relevant to financial reporting. These controls are commonly referred to as internal controls over financial reporting (ICFR). This kind of reports are commonly used by service organisations that provide outsourced financial services, such as accounting firms, payroll services and financial institutions. These reports can help clients and their auditors assess the risks associated with outsourcing financial services and evaluate the effectiveness of the service organisation’s controls over financial reporting.

Assesments primarily intended for use by entities that provide services that could have an impact on their clients’ financial statements, such as financial institutions, accounting firms, and payroll service providers.

The SOC 1 report provides information on the design and operating effectiveness of these ICFR controls to assist the client’s auditors in assessing the impact of these services on the client’s financial statements.

Reports can be either a Type 1 report (which provides a description of controls and assesses the design of those controls) or a Type 2 report (which assesses the effectiveness of controls over a specified period).

SOC 1 – Type I vs Type II

A Type 1 SOC 1 report provides an opinion on the design of controls at a given point in time. The report describes the **controls in place and provides an opinion on whether the controls are suitably designed to achieve the specified control objectives.

A Type 2 SOC 1 report provides an opinion on the effectiveness of controls over a specified period of time, typically six to twelve months. The report not only describes the controls in place, but also assesses the operating effectiveness of those controls. This assessment is based on testing performed during the specified period, which provides a broader understanding of the control environment.

Two reports can be useful to clients and their auditors in assessing the impact of a service organisation’s internal controls on its financial statements. The choice between a Type 1 and a Type 2 report typically depends on the level of assurance required by the client’s auditors and the specific control objectives of the service organisation.

Common program is SOC 1 compliance

The Common Program for SOC 1 Compliance Report is a set of criteria established by the American Institute of Certified Public Accountants (AICPA) that service auditors use to evaluate the design and operating effectiveness of a service organisation’s internal control over financial reporting (ICFR).

• Control objectives: These are the objectives that the service organisation’s ICFR controls must achieve to ensure that the financial statements of the organisation’s clients are accurate and reliable.

• Control activities – specific policies and procedures that the service organisation has implemented to achieve the control objectives.

• Tests of controls – procedures performed by the service auditor to test the operating effectiveness of the control activities.

• Subservice Organisation Controls – service organization relies on subservice organizations to provide services, the joint program requires the service auditor to evaluate the subservice organizations’ controls and assess their impact on the service organization’s controls.

• Reporting – the joint programme provides guidance on the content and format of the SOC 1 report, including the auditor’s opinion on the service organisation’s ICFR controls.

SOC 2

SOC 2 reports focus on controls related to security, availability, processing integrity, confidentiality and privacy. SOC 2 reports can be either a Type 1 report or a Type 2 report.

Goal is to focus on controls related to security, availability, processing integrity, confidentiality and privacy (collectively known as the Trust Service Criteria or TSCs).

The TSCs are principles-based criteria used to evaluate a service organisation’s systems and controls that are relevant to the security, availability, processing integrity, confidentiality, and privacy of information processed or maintained by the service organisation.

SOC 2 reports are commonly used by service organisations providing cloud computing, data hosting and other information technology (IT) services. These reports can help clients and their auditors evaluate the effectiveness of the service organisation’s controls over IT and assess the risks associated with outsourcing IT services to the service organisation.

A SOC 2 Type II audit includes:

• Walkthroughs with control owners
• Requesting and reviewing audit artefacts to provide assurance that controls are in place

SOC 2 – Type I and Type II

A Type 1 report provides an opinion on the design of controls at a specific point in time, while a Type 2 report provides an opinion on the operating effectiveness of controls over a specified period of time, typically six to twelve months.

Both Type 1 and Type 2 SOC 2 reports can be useful to clients and their auditors in assessing the effectiveness of a service organisation’s controls over TSC. The choice between a Type 1 and a Type 2 report typically depends on the level of assurance required by the client’s auditors and the specific control objectives of the service organisation. **Most first-year organisations choose a SOC 2 Type I audit.

A SOC 2 Type 1 report provides an opinion on the design of controls at a given point in time. The report describes the service organisation’s system and the controls in place to address the Trust Service Criteria (TSC) of security, availability, processing integrity, confidentiality and privacy.

A SOC 2 Type 2 report provides an opinion on the effectiveness of controls over a specified period of time, typically six to 12 months. The report not only describes the service organisation’s system and controls, but also assesses the operating effectiveness of those controls. This assessment is based on testing performed during the specified period, which provides a more complete understanding of the control environment.

How to become SOC 2 compliant – and where people go wrong

The first step is to decide on the scope of your SOC 2 programme. This could be the whole organisation or just part of it. The driver for your scope will depend on the objectives you are trying to achieve.

For example, you may choose to include the entire organisation or only part of it.

But remember that certain corporate functions, such as HR, corporate IT and legal, are likely to be in scope no matter what.

Finally, you need to build the programme. Unlike many other frameworks, SOC 2 does not have a rigid set of control requirements. Instead, SOC 2 establishes criteria, and organisations have some freedom to articulate how their processes meet those criteria. Common elements include:

• Setting up a governance structure (CC1)
• Policies (CC2)
• Risk assessment (CC3)
• Internal security assessments such as control sampling, penetration testing or third-party security assessments (CC4, CC5)
• Clean up user access (CC6)
• Formalising the SDLC (CC8)
• Implementing a vendor risk management programme (CC9)

SOC 3

SOC 3 reports are publicly available reports that provide a summary of the SOC 2 report.

It is a available summary report of the service organisation’s controls related to the Trust Service Criteria (TSC) of security, availability, processing integrity, confidentiality and privacy. Unlike SOC 1 and SOC 2 reports, SOC 3 reports do not provide a detailed description of the service organisation’s controls or the tests performed by the service auditor. Instead, SOC 3 reports provide a high-level overview of the service organisation’s controls and the auditor’s opinion on the effectiveness of those controls.

SOC 3 reports are designed to meet the needs of service organisations that wish to communicate their control environment to a wide range of stakeholders, including customers, partners and potential customers. SOC 3 reports can be posted on the service organisation’s website or made available to interested parties upon request.

To obtain a SOC 3 report, the service organisation must undergo a SOC 2 examination, which includes a detailed assessment of the service organisation’s controls related to the TSC. The results of the SOC 2 examination are then summarised in the SOC 3 report, along with the auditor’s opinion on the effectiveness of the controls.

The main advantage of SOC 3 reports is that they provide a concise and accessible summary of the service organisation’s controls that can be easily understood by non-technical stakeholders. However, SOC 3 reports may not provide sufficient detail for clients and their auditors to fully understand the service organisation’s control environment, so SOC 3 reports are often supplemented with SOC 2 reports upon request.

Trust Service Criteria (TSC)

The Trust Service Criteria (TSC) is a set of principles and criteria developed (AICPA) to evaluate the effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy (also known as the "five trust service principles"). It provides a framework for evaluating the controls of service organisations and providing assurance to service users. The TSC and associated criteria are used in SOC 2 and SOC 3 examinations to evaluate the effectiveness of controls related to security, availability, processing integrity, confidentiality and privacy. By evaluating controls related to the TSC, service organisations can provide assurance to their customers and stakeholders that their systems and processes are secure, reliable, and compliant with applicable regulations and industry standards.

The TSC is designed to address the risks and challenges associated with the increasing reliance on technology and third-party service providers in today’s business environment. The five Trust Service Principles provide a comprehensive framework for assessing the effectiveness of controls over the security, availability, processing integrity, confidentiality and privacy of information and systems.

Service organisations can choose to be assessed against one or more of the TSCs, depending on the nature of their services and the needs of their clients. The AICPA has also developed a set of criteria for evaluating the effectiveness of controls related to the TSC, known as the Description Criteria and Control Criteria.