With the advent of the Sarbanes-Oxley Act (SOX), other demands for transparency, increasing globalization and outsourcing, the use of SSAE 18 has grown exponentially. Service organizations that provide key third-party outsourcing services often need to be accountable to the clients that they serve. These organizations include claims processors, application service providers, benefits administrators, payroll companies, data centers, and many others.
Furthermore, the creation of System and Organization Control Reports (SOC 1, SOC 2, SOC 3 reports) provide three new reporting vehicles developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, non-financial controls and, with SOC 3, become certified trusted system service organizations.
CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.
- Type I audits consider the controls’ design effectiveness at a certain point in time
- Type II audits examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.
SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:
- Requires greater international consistency
- Addresses newer technologies such as cloud computing, mobile, and virtualization
- Demands more widely recognized and understood reporting options
LBMC Information Security’s audit professionals operate as part of LBMC, PC—a Top 50 US CPA firm. We provide SOC services to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, including healthcare and claims processing, financial services, cloud service providers, and commercial collation and hosting providers.
SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.
While SOC 1 examines service organizations’ controls related to financial reporting, SOC 2 and SOC 3 reviews security, availability, processing integrity, confidentiality, and privacy reporting controls that align to the AICPA Trust Services Criteria (TSC).
The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report can be distributed freely while a SOC 2 is meant for a service organization’s customers.
SOC 2 Engagements
SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.
SOC 3 Engagements
SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy).
SOC for Cybersecurity
The SOC for Cybersecurity examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. It can be performed for any type of organization regardless of size or industry, and report users aren’t necessarily current customers or customer auditors.
SOC for Cybersecurity provides the following:
- A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
- An effective way to communicate cybersecurity control effectiveness to stakeholders, boards, committees, customers, and partners through a comprehensive cybersecurity audit.
Differing from SOC 2 reports, SOC for Cybersecurity reports address the following:
- The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
- An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
- SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
- In a SOC for Cybersecurity, the controls matrix will not be included in the report.
The LBMC Information Security team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.
What Type of SOC Report is Best for You?
SOC reports help your business retain and attract new customers. Every business that shares critical data with a service provider wants to be sure that the business partner is doing all it can to protect its vital information assets. How do you prove you are?
Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
If you answer YES, you need a SOC 1.
Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law/regulation?
If you answer YES, you need a SOC 1.
Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s IT systems?
If you answer YES, you need a SOC 2 or 3.
Do you need to make the report generally available to non-customers?
If you answer YES, you need a SOC 3.
Do your customers have the need for and the ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditors and the results of those tests?
If you answer YES, you need a SOC 2. However, if you answer NO, you need a SOC 3.