SOC Reports

A SOC 1 report provides assurance to regulators on controls over financial reporting. These reports present customized controls covering general information technology controls and specific business model controls. By its very definition under SSAE 21 guidance, SOC 1 is the audit of a third-party vendor’s accounting and financial controls.

A SOC 1 report is appropriate when a company has outsourced a key business process to an external service provider. This report focuses on internal controls around transaction processing at the service provider.

SOC 2 reports cover controls for business systems, processes and data and may be used by leaders in internal audit, risk management, operations, business lines and IT, as well as regulators and business partners. These reports present specific control activities of the business under a framework referred to as trust services criteria that covers Security, Availability, Integrity and Confidentiality along with Privacy, if applicable. When an organization is concerned with private, confidential, available and secure IT services, then a SOC 2 report is a widely recognized choice.

Other regulated or required frameworks are often needed by various organizations. These can be paired with the accepted trust services criteria to address other compliance and regulatory frameworks, such as National Institute of Standards and Technology (NIST), Health Information Trust Alliance (HITRUST), or General Data Protection Regulation (GDPR).

A SOC for Cybersecurity report verifies a company’s cybersecurity strategy to ensure that they are taking the measures needed to protect themselves against cyber threats.

This report is open to anyone interested in the report and is therefore not as revealing as a traditional SOC 2 report about the specific cybersecurity controls that an audited organization uses. Because it can be presented to anyone, the report comes in handy if an organization wishes to provide third-party assurance that their cybersecurity practices are sound to their business partners and customer relationships as well as the general public.

Type I reports can be performed for both SOC 1 and SOC 2 reports. A Type I report examines the design of the controls of the system and organization and does not test those controls over a period of time. A Type I report is issued to reflect the design of the controls “as of” a specific date.

Type II reports can be performed for both SOC 1 and SOC 2 reports. A Type II report not only examines the design of the controls but also tests those control designs over a period of time. That period of time is considered the audit period.

Before undergoing a full SOC report, a SOC Readiness Assessment can help you understand your controls and benchmarking to get ready for a successful SOC report.

The AICPA has introduced certain specialized guidance for SOC audits that our advisors can also provide. The most recent is the SOC for Supply Chain, which couldn’t come at a better time. With recent events, it is more crucial than ever to assess supply chain risks and make efforts to mitigate those risks for production, manufacturing or distribution systems.