Who Needs a SOC 2 Report?
System and Organization Controls (SOC) reports are a useful tool to show users and customers that an organization is taking the right protective measures in securing their data. In this article, we will outline the kinds of companies that should receive a SOC report.
Types of SOC Reports
The most common forms of SOC reports are SOC 1 and SOC 2. Developed by the American Institute of Certified Public Accountants (AICPA), SOC 1 reports cover internal controls over financial reporting. This covers any financial data that is produced from a system that is used in financial reporting. Often, financial auditors will request these types of reports during a financial audit. A common example of this would be a payroll system. Controls should be in place within the payroll system to accurately calculate pay/withholdings, pay the correct individual, and provide limited access to certain functions based on the user. A SOC 1 would be an ideal audit to validate these processes, as control objectives can be developed to cover any specific items the organization would like to cover ranging from access control to account reconciliation. SOC 1 audits are very customizable by the service organization and control objectives in the SOC 1 are defined by the service organization. The number of control objectives could range from 1 to infinity. Read more about SOC 1 here.
SOC 2 is different. All SOC 2 audits use the same set of Trust Services Criteria. SOC 2 is specific to processing, storage, or transmission of sensitive customer data. It typically includes the scope of system or group of services provided by an organization to external users. A SOC 2 covers Trust Service Criteria principles which are specific to security, availability, processing integrity, confidentiality, or privacy. Examples of organizations that go down the SOC 2 route can include Cloud Service Providers, Data Centers, Managed Service Providers, Software as a Service (SaaS) Providers, Data Processing Centers, Financial Institutions, Healthcare Providers, Insurance companies and Technology Service Providers. A SOC 2 can be specifically geared to each of these industries. Security is a required criteria and other criteria can be added depending on the data or services provided. Availability may be added for SaaS providers or data centers, and Privacy or Confidentiality may be added for organizations that work with sensitive information or data, such as healthcare or insurance companies. Read more about SOC 2 here.
SOC Audits
SOC audits are performed by an independent auditor, a CPA firm, which can add assurance to third parties using the organization’s services. This impartial assessment improves trust and confidence among users, creating stronger relationships and facilitating smoother business transactions. SOC audits can also serve as a benchmark for the organization’s commitment to maintaining high standards of security and compliance in an ever-evolving digital landscape. SOC audits can include a readiness assessment that can help identify gaps prior to the start of an audit. The actual audit results in a final report at the end of the examination period.
In summary, SOC 2 is geared towards service providers and organizations that provide system access to users. Various criteria can be added to SOC 2 (SOC 2 plus additional subject matter) to assist in providing users of the services or system with assurance that their data is protected.
For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more