How-To Guide: Everything SOC Reports

In this article, I will explain everything related to SOC (System and Organization Controls) reports. SOC reports help organizations establish trust and confidence in their services/products. The delivery of their service or product in tandem with their business processes and their controls are also analyzed and critiqued during a SOC examination. SOC reports are commonly used during vendor risk assessments to act as assurance in working with the vendor (a vendor could be any entity that is offering a service or product) in question. I've personally been executing these vendor risk assessments for the past three years (at the time of this writing).

SOC may be considered the spinal backbone of compliance reporting and if that is the case then one may also surmise that the spine is made up of different vertebrae - each one serving a different purpose of a given organization.

SOC reports are governed by the AICPA (American Institute of Certified Public Accountants). They validate that the org. has designed and put in the required and effective controls in place to protect the clients assets. Those assets could be the data and/or technological hardware implemented in their infrastructure.

SOC reports act as trustworthiness due to the fact that any given company must undergo a SOC assessment performed by an independent third party that must be a certified public accountant (CPA).

SOC reporting can help an organization:

1. Meet contractual obligations, market concerns, and customer requirements

2. Mitigate the trust gap between the company and stakeholders

3. Proactively manage risk

4. Drive control maturity within your company

SOC Report Types:

SOC 1 Report - This report covers finances. If you don't conduct your financial operations responsibly, you put your customers financial statements, reporting, and integrity at risk. A SOC 1 is a detailed report that examines the controls your organization has in place for its financial reporting and operations to ensure you're mitigating customer risk. This is done by auditors for service organizations that handle financial transactions and reporting for their clients. This report also focuses on services that affect the internal control over financial reporting of another company. This assessment checks how your services impact your customers financial reporting control environment. Completed reports are used by financial statement auditors to support their Sarbanes-Oxley Act (SOX) obligations.

Important Note: SOC 1 audits are not financial audits - They are used to provide relevant information to any of the items that could affect the controls of the financial reporting process. The controls and their affect on the process are what is in question with SOC 1 audits (examples: physical access to systems, logical access to systems, change management controls, payroll processing, SaaS, data center services, etc.).

SOC 1 Type 1: Documents the design and implementation of an organization's controls at a specific point in time. This report provides an auditor's opinion on whether the controls are designed to achieve the related objectives.

SOC 1 Type 2: Documents the design and implementation of an organization's controls over a period of time, and provides an auditor's opinion on the controls operating effectiveness. The typical exam period for a Type 2 report is 12 months, but it can range from 6 to 18 months.

Important Note: A Type 1 report can help an organization implement the discipline needed to successfully complete a Type 2 report. Clients typically look for Type 2 compliance as it acts as stronger assurance and trustworthiness since it covers a large window of time versus a specific point in time.

SOC 2 Report - This report covers information security. It's relevant to orgs who manage their customers data. A SOC 2 audit reviews the vendors information security practices to ensure that your customers data will be safe under the vendors care. The SOC 2 report will detail your security posture and the controls you have in place to protect your organizational and customer data. At the base of the SOC 2 are the five Trust Services Categories (TSCs), each of which contains criteria that your controls and service commitments would be evaluated against.

SOC 2 Type 1 - Evaluated a company's controls at a single point in time to determine if the security controls are designed properly.

SOC 2 Type 2 - Assesses how a company's controls function over a period of time, usually 3-12 months, to determine if they function as intended. Type 2 are more secure than Type 1 reports and show that a company can protect information over time. Companies must get annual audits to maintain their SOC 2 Type 2 certification.

SOC 3 Report - This report covers information security but only focuses on your achievements with the aforementioned TSCs and your service commitments and system requirements. A SOC 3 can be freely distributed to whomever because it only reports on whether you have met all the in-scope TSCs and your principal service commitments and system requirements. There are no test results or opinions included in this report. This report is for orgs that want to demonstrate their security controls and best practices to a broader audience. It looks at the same controls as a SOC 2 report, but in far less detail. You might produce a SOC 3 report to showcase the effectiveness of your security practices to a public audience, such as in marketing efforts.

This report is only available as a Type 2 report, meaning it provides a historical view of an orgs controls over a period of time, and is designed for general public distribution due to its high-level summary format.

Here is a comparison chart between all the SOC Reports we covered in this article:

Thank you for reading and if you have any questions I'm always available via LinkedIn.