A System and Organization Controls (SOC) report, also called a SOC audit, investigates the internal controls and governance policies that a business has in place. These examinations are carried out by an independent CPA firm and culminate in the production of an independent attestation known as a SOC report.
To pass a SOC audit, a business must satisfy the criteria outlined by the AICPA. During the assessment, the business will describe the internal controls they have in place. Auditors will then observe processes to assess whether these processes are in place and issue a report for the business to share with interested parties.
What should I know about SOC Examinations?
At a high level, a SOC examination can best be defined as an assessment of the internal controls that exist within a business. This examination, which you might see referred to as a SOC audit, results in the production of a SOC report.
Businesses use these reports, produced by independent CPA firms like LBMC, to assure their clients and partners that they follow an approved series of internal controls within their business.
There are several types of SOC examinations. By far the most common are SOC 1 and SOC 2 examinations. In years to come, it’s expected that additional examinations, including SOC for Cybersecurity and SOC for Supply Chain, will become more commonplace.
For now though, if you’ve been asked for a SOC report, you’re likely being asked for a SOC 1 or SOC 2 report. Let’s take a closer look at the key distinctions between these two reports.
What is a SOC 1 Report?
SOC 1 focuses on an entity’s internal financial controls. There are several common scenarios where an organization may be required to obtain a SOC 1 report:
- Financing partners, such as banks, may require your business to undergo a SOC 1 audit before issuing loans or credit facilities.
- Businesses that process information and data for a publicly traded company may require a business to undergo a SOC 1 audit.
- Businesses that manage money on behalf of other firms (for example, a defined contribution plan sponsor), will likely deal with customers that require the business to obtain a SOC 1 audit.
- Businesses that are being audited, or are subject to due diligence, are often required to undertake a SOC 1 audit.
A SOC 1 examination evaluates controls related to the financial reporting of an entity.
Often, SOC 1 reports are requested by financial statement auditors to establish a level of confidence in the business’s existing financial controls. They may also be conducted by businesses that manage large amounts of money on the behalf of their clients, such as defined contribution plan sponsors that manage 401(k) plans.
During a SOC 1 examination, the business will describe its existing financial controls to the firm they have engaged to carry out the examination. The firm will then evaluate these processes––either on-site or virtually.
If the business’s description of the controls is accurate and satisfies the criteria specified by the AICPA, this process is straightforward. The result of the engagement is an independent SOC report the business can provide to interested parties as documentation of its internal financial controls.
If there are substandard controls in place, the firm carrying out the SOC examination will typically make recommendations outlining how these could be improved. They may also engage in a consulting project to lead the implementation of these recommendations.
What is a SOC 2 Report?
SOC 2 focuses more on your organization’s security posture and data governance policies. They examine criteria in five key areas referred to as the Trust Services Criteria:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
As data continues to play an increasingly prominent role in the way many businesses operate, SOC 2 reports are becoming increasingly common. If your business handles confidential data on behalf of external parties, it will likely be required to obtain a SOC 2 report on a routine basis.
A SOC 2 examination evaluates internal controls related to the security, availability, processing integrity, confidentiality, and privacy of a business’s internal systems.
SOC 2 examinations are usually conducted for oversight and due diligence purposes. It’s common for existing customers, potential new customers, or business partners to request that a business share a SOC 2 report before working together.
Requests for SOC 2 audits are especially common in industries where businesses manage high volumes of confidential data, such as the Software as a Service (SaaS) and Managed Service Provider (MSP) industries. No business wants to work with a vendor that puts their data at risk, and SOC 2 compliance is seen as an indicator that a vendor is a reliable steward of information security.
SOC 2 reports have much more of a focus on information technology. The examination process typically is rarely conducted exclusively by CPAs––information systems security professionals are also drafted in.
Obtaining a SOC report should just be one element of your organization’s overall data strategy.
What are Type 1 and Type 2 SOC Reports?
SOC reports, regardless of whether they are SOC 1 reports or SOC 2 reports, can be presented as a Type 1 or Type 2 report.
A Type 1 report evaluates the suitability of the controls on a specific date: for example, the last day of a quarter or year.
A Type 2 report renders an opinion on the operating effectiveness of these controls over a certain period of time––usually one year. Type 2 reports are more in-depth, and require rigorous testing to ascertain whether certain controls were in place and functioning at different times during the reporting period.
Why Are SOC Examinations Important?
SOC examinations typically stem from a request for a SOC report from a customer, prospective customer, or some other stakeholder. By having an examination completed and a report produced, businesses get the tools they need to share this information. This allows the business to continue or start doing business with the party that requested the report.
Beyond this transactional dimension, a SOC examination also gives business owners peace of mind knowing that their internal processes are robust. If there are gaps or compliance issues within their processes, the business can take steps to remedy these and ensure they are ready for future SOC examinations.
Many businesses conduct SOC examinations on an annual or biannual basis. Once the first report has been completed, the process in subsequent years tends to be relatively straightforward, provided there have been no material changes to the controls in the time between examinations.