System and Organization Controls (SOC) reports help companies establish trust and confidence in their service delivery processes and controls. As we’ve seen over the last 15 years, the majority of McKonly & Asbury’s new SOC clients have never received a SOC audit before. Because there are several different types of SOC reports, it makes it hard to know which one fits your specific SOC needs when a customer asks for one. In this article, we’ll take a look at some of the more common questions that we have been asked about SOC 1, SOC 2, and SOC 3 audits.
Question #1: What is a SOC report, and why is it important? And why am I being asked for it?
A SOC report is an examination report that is performed by a Certified Public Accountant (CPA). Only a licensed CPA Firm can perform SOC examinations. A SOC 1 report focuses on internal controls at a service organization that are directly related to a customer or users financial reporting. In contrast, a SOC 2 report is directed toward non-financial controls. A SOC 2 report is designed to provide assurances about the effectiveness of controls in place at a service organization that are relevant to the security, availability, processing integrity of the system used to process clients’ information, and relevant to the confidentiality or privacy of that information. A SOC 1 report covers business process control objectives and IT general controls that address the risks of your users related to the use of your service. SOC 1’s are the correct report if your company provides a service that is relevant to or could impact the financial statements of your clients (for example, payroll processing or insurance claim administration). If you are being asked for a SOC report by a user entity (customer more than likely) to provide auditors assurance on your internal controls, below are some questions to consider.
Question #2: How do I determine what type of report I need?
The AICPA is the governing entity for the different types of SOC audits and has published a table with three questions that help an organization figure out which SOC report they need.
|Key Question||Response||SOC Report Type Required|
|Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?||Yes||SOC 1 Report|
|Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?||Yes||SOC 2 or SOC 3 Report|
|Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?||Yes||SOC 2 Report|
Question #3: What is the difference between a Type I and a Type II report?
To further complicate things there two types of reports for the SOC 1 and SOC 2. The AICPA outlines Type 1 and Type 2 below. Type 2 is generally the preferred report for user entities requesting a SOC report because it covers a period of time and also covers the operating effectiveness of the audited controls.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Question #4: My customer is demanding a SOC report – what should it cover?
The SOC 1 addresses internal controls at a service organization that are relevant to its client’s financial statements. The SOC 2 report addresses a service organization’s controls that are relevant to its clients operations and compliance, as outlined by the AICPA’s Trust Services Criteria.
The following questions will help you define the scope of your SOC audit:
- What are the core services your organization provides?
- What are the key service commitments your organization makes with customers?
- What systems are used to deliver your organization’s services?
- What third parties does your organization utilize to deliver its services?
- Does your organization need to comply with regulatory requirements?
Answers to these questions and discussion with your SOC auditor will help you define the scope of your SOC audit. In a SOC1, the service organization will need to define the controls objectives most relevant to answering the questions above. In a SOC2, the service organization will need to select which of the 5 Trust Services Criteria discussed in question #1 are relevant.
Question #5: My customer wants my SOC report as soon as possible, can we get it next month?
The answer is no 99% of the time due to the majority of organizations not having the controls in place to meet the Trust Services Criteria. A pre-assessment or readiness phase is usually required prior to the audit to make sure those controls are in place. Once the controls are in place a Type 1 report can be done following the pre-assessment or readiness phase – so, in an organization with a very strong control environment with little need for remediation, yes, you might be able to get it next month. A Type 2 can be done after a period of time, usually 6 months to 1 year, where the operating effectiveness of controls can be tested by the auditor throughout the period.
Question #6: Once we get this done, what’s the process to refresh it for my customer?
There is no such thing as a SOC audit refresh. The SOC report shelf life (generally 3 months) is not very long, not unlike most security audits, and service organizations are required by their user entities to have a SOC audit performed annually.
Question #7: Is there such a thing as SOC-Certified?
There is no such thing as being SOC-Certified. There is an opinion made by the service auditor in regards to the controls covering the trust services criteria. You can say you have “obtained a SOC report and it is available to customers upon request”, you should not say you are “SOC-Certified”.
Question #8: Do I need a full-time person to facilitate this?
The answer to this question is “maybe”. Most organization’s underestimate the resources needed for the pre-assessment and the SOC audits. To best understand the resources needed discussions should be had with the service auditor to understand what is expected form the service organization.
If your company has not been asked to provide a SOC report as part of vendor diligence or contract negotiation, it’s likely just a matter of time. As a leader in the SOC suite of services, McKonly & Asbury’s team of experts strive to effectively and efficiently help clients through the SOC audit from the pre-assessment phase through the annual audit. If you have any questions about any aspect of the SOC reporting process, we are here to help. Contact David Hammarberg, Partner and Leader of McKonly & Asbury’s SOC Practice at firstname.lastname@example.org.