If you’re in a leadership position at a business, you might have heard of a SOC examination. These examinations, typically requested by clients, prospective clients, or business partners, result in a report that covers the System and Organization Controls (SOC) your business has in place. They serve as an independent indicator that your business is taking sufficient steps to safeguard clients data and have the appropriate internal controls in place that may impact customer financial data.

In recent years, SOC examinations, and the SOC reports that flow from them, have become increasingly commonplace as businesses take steps to ensure that the vendors they partner with embrace robust internal controls that safeguard confidential data. Various types of SOC reports have emerged and it’s important you understand the distinctions between them. In this guide, we’ll provide an overview of the main categories of SOC examination and explore why your business should be able to produce these reports when requested. 

If you’re unfamiliar with SOC audits, a client requesting you undertake a SOC report might come as a surprise. But provided you know what to expect and are adequately prepared, there’s nothing to worry about. In fact, SOC reports often represent an opportunity to showcase the strength of your business’s internal controls to new customers, broadening your addressable market and helping you sleep easier at night.

So, what exactly is a SOC report? And if you’re a business based in Tennessee, Kentucky or Indiana, where should you get one? In this guide, we answer those questions and more. Read on to discover everything you need to know to get started with a SOC report.

What is a SOC Report?

A System and Organization Controls (SOC) report, also called a SOC audit, investigates the internal controls and governance policies that a business has in place. These examinations are carried out by an independent CPA firm and culminate in the production of an independent attestation known as a SOC report.

To pass a SOC audit, a business must satisfy the criteria outlined by the AICPA. During the assessment, the business will describe the internal controls they have in place. Auditors will then observe processes to assess whether these processes are in place and issue a report for the business to share with interested parties.

What should I know about SOC Examinations?

At a high level, a SOC examination can best be defined as an assessment of the internal controls that exist within a business. This examination, which you might see referred to as a SOC audit, results in the production of a SOC report.

Businesses use these reports, produced by independent CPA firms like LBMC, to assure their clients and partners that they follow an approved series of internal controls within their business.

There are several types of SOC examinations. By far the most common are SOC 1 and SOC 2 examinations. In years to come, it’s expected that additional examinations, including SOC for Cybersecurity and SOC for Supply Chain, will become more commonplace.

For now though, if you’ve been asked for a SOC report, you’re likely being asked for a SOC 1 or SOC 2 report. Let’s take a closer look at the key distinctions between these two reports.

What is a SOC 1 Report?

SOC 1 focuses on an entity’s internal financial controls. There are several common scenarios where an organization may be required to obtain a SOC 1 report:

  • Financing partners, such as banks, may require your business to undergo a SOC 1 audit before issuing loans or credit facilities.
  • Businesses that process information and data for a publicly traded company may require a business to undergo a SOC 1 audit.
  • Businesses that manage money on behalf of other firms (for example, a defined contribution plan sponsor), will likely deal with customers that require the business to obtain a SOC 1 audit.
  • Businesses that are being audited, or are subject to due diligence, are often required to undertake a SOC 1 audit.

A SOC 1 examination evaluates controls related to the financial reporting of an entity.

Often, SOC 1 reports are requested by financial statement auditors to establish a level of confidence in the business’s existing financial controls. They may also be conducted by businesses that manage large amounts of money on the behalf of their clients, such as defined contribution plan sponsors that manage 401(k) plans.

During a SOC 1 examination, the business will describe its existing financial controls to the firm they have engaged to carry out the examination. The firm will then evaluate these processes––either on-site or virtually.

If the business’s description of the controls is accurate and satisfies the criteria specified by the AICPA, this process is straightforward. The result of the engagement is an independent SOC report the business can provide to interested parties as documentation of its internal financial controls.

If there are substandard controls in place, the firm carrying out the SOC examination will typically make recommendations outlining how these could be improved. They may also engage in a consulting project to lead the implementation of these recommendations.

What is a SOC 2 Report?

SOC 2 focuses more on your organization’s security posture and data governance policies. They examine criteria in five key areas referred to as the Trust Services Criteria:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

As data continues to play an increasingly prominent role in the way many businesses operate, SOC 2 reports are becoming increasingly common. If your business handles confidential data on behalf of external parties, it will likely be required to obtain a SOC 2 report on a routine basis.

A SOC 2 examination evaluates internal controls related to the security, availability, processing integrity, confidentiality, and privacy of a business’s internal systems.

SOC 2 examinations are usually conducted for oversight and due diligence purposes. It’s common for existing customers, potential new customers, or business partners to request that a business share a SOC 2 report before working together.

Requests for SOC 2 audits are especially common in industries where businesses manage high volumes of confidential data, such as the Software as a Service (SaaS) and Managed Service Provider (MSP) industries. No business wants to work with a vendor that puts their data at risk, and SOC 2 compliance is seen as an indicator that a vendor is a reliable steward of information security.

SOC 2 reports have much more of a focus on information technology. The examination process typically is rarely conducted exclusively by CPAs––information systems security professionals are also drafted in.

Obtaining a SOC report should just be one element of your organization’s overall data strategy.

What are Type 1 and Type 2 SOC Reports?

SOC reports, regardless of whether they are SOC 1 reports or SOC 2 reports, can be presented as a Type 1 or Type 2 report.

A Type 1 report evaluates the suitability of the controls on a specific date: for example, the last day of a quarter or year.

A Type 2 report renders an opinion on the operating effectiveness of these controls over a certain period of time––usually one year. Type 2 reports are more in-depth, and require rigorous testing to ascertain whether certain controls were in place and functioning at different times during the reporting period.

Why Are SOC Examinations Important?

SOC examinations typically stem from a request for a SOC report from a customer, prospective customer, or some other stakeholder. By having an examination completed and a report produced, businesses get the tools they need to share this information. This allows the business to continue or start doing business with the party that requested the report.

Beyond this transactional dimension, a SOC examination also gives business owners peace of mind knowing that their internal processes are robust. If there are gaps or compliance issues within their processes, the business can take steps to remedy these and ensure they are ready for future SOC examinations.

Many businesses conduct SOC examinations on an annual or biannual basis. Once the first report has been completed, the process in subsequent years tends to be relatively straightforward, provided there have been no material changes to the controls in the time between examinations.

Where Can I Get a SOC Report?

SOC reports are governed by the American Institute of Certified Public Accountants (AICPA) and require a SOC audit to be conducted by CPA firms that serve as independent auditors. Not every CPA firm has the internal capabilities to provide these services, so it’s important you select a partner with a proven track record in this field.

SOC audits are often completed on an annual or bi-annual basis, with the same firm conducting the audit each time. The first audit can take a little longer, but subsequent audits are typically much more streamlined, provided the business’s internal controls remain in compliance.

Establishing a relationship with a CPA firm that you can trust is critical to a successful SOC examination process. At LBMC, we’re proud to provide SOC 1, SOC 2 and SOC 3 audit services.

How Does a SOC Report Work?

Provided your business has the relevant controls in place, a SOC audit tends to be a relatively straightforward process. While every firm conducts these audits slightly differently, at LBMC, we follow a simple three-step process to provide SOC reports to businesses:

  • Step One: Kickoff Meeting – the process begins with an introductory meeting that determines the appropriate type of SOC audit. A preliminary assessment of your business’s readiness for an audit will be conducted at this stage.
  • Step Two: Onsite Audit – the audit team, composed of CPAs and information security professionals, visits your business to conduct an onsite assessment or performs remote interviews of all relevant controls and performs testing of all defined controls.
  • Step Three: Assurance Report – the auditor delivers an Independent Attestation Report that your business can share with potential clients and partners.

If you have never been through a SOC audit before, a readiness assessment may also be recommended prior to beginning a formal audit.  If the audit discovers compliance issues that would cause your business to fail the examination, the auditor will typically provide recommendations on how these deficiencies should be remediated.

Why should I partner with LBMC for my SOC 1 and SOC 2 Assessments?

If a client or partner has requested that your business share a SOC report, there’s no reason to panic. In most instances, provided you have sufficient internal controls, obtaining a SOC examination and report will be a relatively simple process.

When a partner requests a SOC report, it’s important to ask the right questions. Establish what type of SOC report they want, the reason they need to see it, and their expectations for what the report should contain.

With this information, you can engage an experienced SOC examination provider like LBMC to produce a report that gives you and your partners peace of mind that your business is operating correctly.

Obtaining a SOC report can help your business build new partnerships, unlock valuable customer relationships, and fuel growth into new markets and sectors. Our team of experts brings the technical expertise required to assure your business’s prospective new partners that you operate your business on sound internal governance frameworks.

If you’re interested in learning more about obtaining a SOC 1 or SOC 2 report, reach out today. If having a local partner is important to you, LBMC has offices in Nashville, Knoxville, and Chattanooga, TN, Louisville, KY, and Charlotte, NC.