System and Organization Controls:
SOC Suite of Services

SOC 1 Examinations are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities in evaluating the effect of the controls at the service organization on the user entities’ financial statements. We work with the service organization to produce the report its customers are requesting.

Service organizations that would typically receive a SOC 1 report consist of third-party service providers, insurance companies, and payroll and benefits processors as well as trust departments. Broadly, any service organization that provides services to customers that directly impact the customer’s financial statements would be a candidate for such a report. Service organizations should evaluate their needs along with their customers’ reporting needs prior to determining the type of SOC report that is applicable to their needs.

SOC 1 Type I

SOC 1 Type I reports are defined as a report on the fairness of the presentation of management’s description of a service organization’s system and the suitability of the design of controls to meet the related control objectives. SOC 1 Type I examinations focus on the service organization’s system narrative, as well as the design effectiveness of the controls within the system, and are focused on the system and controls in place at a specific point in time. Type I reports consist of the description of service organization’s “system” and controls, management’s assertion on the fair presentation and design of the service organization’s system, and the auditor’s report and opinion.

SOC 1 Type II

SOC 1 Type II reports are defined as a report on the fairness of the presentation of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls to achieve the related control objectives.  SOC 1 Type II examinations differ from the Type I examination, since the reports include an opinion on the operating effectiveness of the controls, in addition to the design effectiveness covered in a Type I. Type II reports also cover a period of time (at a minimum, six months), as opposed to a point in time. SOC 1 Type II engagements are generally much more thorough and require more time to complete because of the requirement to test the operating effectiveness of controls. The components of a Type II report are similar to a Type 1 report, but are expanded to include the procedures used by the auditor to test the stated controls and the results of such tests.

SOC 2 and SOC 3 examinations are used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to security, availability and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AIPCA has set forth specific trust services criteria within each trust services principle which the service organization’s controls must meet in order to satisfy the principle.

SOC 2 Type I

A SOC 2 Type I report is a report on management’s description of a service organization’s system and the suitability of design of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy. The SOC 2 Type I generally addresses the organization’s system and design effectiveness of controls as they pertain to the applicable trust services criteria. Similar to the SOC 1 Type I the report is made up of a description of the service organization’s “system” and controls, management’s assertion on the presentation and design of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy, and the auditor’s report and opinion.

SOC 2 Type II

A SOC 2 Type II report is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over Security, Availability, Processing Integrity, Confidentiality, or Privacy. SOC 2 Type II examinations differ from the Type I examination, since the reports include an opinion on the operating effectiveness of the controls as well as the design effectiveness. The components of a Type II report are similar to a Type 1 report, but are expanded to include the procedures used by the auditor to test the stated controls and the results of such tests.

A SOC 3 report is similar to a SOC 2 examination, with the primary difference being that SOC 2 reports are restricted use reports and SOC 3 are general use reports. SOC 3 reports can be freely distributed by the service organization and the organization can post a SOC 3 seal on their website indicating the SOC 3 report has been completed.

Service organizations that would typically receive a SOC 2 or SOC 3 report consist of datacenters, software development companies, cloud computing companies, IT service providers, and data and application hosting companies.

In April 2017, the American Institute of Certified Public Accountants (AICPA) introduced a new examination entitled System and Organization Controls (SOC) for Cybersecurity which builds on the AICPA standards already in place over SOC examinations. Existing SOC1, SOC2, and SOC3 framework was directly focused on organizations providing direct or indirect services to other organizations as a service provider.

SOC for Cybersecurity, however, is appropriate for virtually any type of business or nonprofit organization, and is performed in accordance with the AICPA’s Cybersecurity risk management program attestation standards. It focuses on communicating information regarding the design and operating effectiveness of an organization’s cybersecurity risk management program to the organization’s management, board, and other stakeholders, allowing them to understand the processes, policies, and controls that the organization has in place to mitigate and prevent cybersecurity attacks on their information as well as determine potential gaps that are not addressed by processes, policies, or controls currently in place within the organization.

To facilitate this evaluation of an organization’s cybersecurity program, the AICPA developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. This framework is a key component of the SOC for Cybersecurity engagement, through which a CPA reports on an organization’s enterprise-wide cybersecurity risk management program. This information can help senior management, board of directors, analysts, investors, and business partners gain a better understanding of the organizations’ efforts.

What is a Cybersecurity Risk Management Program?

A cybersecurity risk management program expands upon a routine IT policy by including an organization’s processes, policies, and controls implemented by the organization to protect and secure the organization’s information and systems from cybersecurity attacks and events. The objective of the cybersecurity risk management program is to detect and mitigate cybersecurity attacks and events while including processes and controls in place to respond to and to recover from cybersecurity attacks and events that are not prevented.

Does your organization need a SOC for Cybersecurity?

A SOC for Cybersecurity examination is not required, but is without question useful for an organization and its stakeholders in understanding the cybersecurity programs in place. If a company relies on the integrity and security of its systems for its ongoing business operations, or fields regular questions from customers or prospects on the nature if its cybersecurity programs, a SOC for Cybersecurity report should be strongly considered.