Understanding SOC Reports for User Clients
An organization that relies on service organizations to provide information technology services needs to ensure they’re protecting their user entities’ data and information systems. The way to ensure that is by reviewing and understanding the service provider’s System and Organization Controls (SOC) report, formerly called a Service Organization Control report.
What is a SOC Report?
Developed by the American Institute of Certified Public Accountants, SOC reports review the systematic controls of service organizations. The report details the effectiveness of an organization’s safeguards for protecting its users’ high-risk systems and data.
There are three different classifications of SOC reports: SOC 1, SOC 2, and SOC 3. A SOC 1 report assesses financial controls. SOC 2 and SOC 3 reports revolve around security and availability controls.
For all three categories of SOC reports, there are two types of reports. Type 1 covers the effectiveness of the design and operating controls at one point in time. Type 2 reviews the effectiveness of controls over a period of time, usually no less than six months and up to 18 months.
A service organization assesses the control objectives that are needed to protect clients’ financial data. The SOC 1 auditor assesses the controls that are in place and creates a report so user entities and their auditors can judge whether a service provider’s information technology controls, such as access and business process controls, are working effectively.
Service organizations are responsible for describing to the SOC auditor their services and the controls they have in place to identify and decrease risks to user clients. The auditor, an independent third-party CPA, is responsible for opining on the fairness of the presentation of the description of the service organization’s design and on the effectiveness of controls.
The first section of the SOC 1 report includes a description of each control activity the service organization has and the test the auditor applied to each control, as well as the results of each tested control. The second section states the control activities user entities are expected to implement.
While SOC 1 reports revolve around protecting client financial data, SOC 2 reports address controls that are relevant to a service organization’s own operations. SOC 2 audits are designed to ascertain whether the service organization meets specified Trust Services Principles as defined by the American Institute of Certified Public Accountants.
The principles focus on five areas:
- Processing integrity
Only one of the five principles is required for a SOC 2 audit: security. Only those areas of a service organization’s information systems that touch a client’s information systems need to be audited.
The AICPA explains the areas in the following ways:
Security refers to the protection of
- information during its collection or creation, use, processing, transmission, and storage
- and to systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives.
Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.
Processing integrity is an applicable principle when business processes are completed by the service organization on behalf of the user entity. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity is an applicable principle when business processes are completed by the service organization on behalf of the user entity. For example, a service organization that provides the full cycle of reviewing, approving, and paying of rent charges for a user entity should have processing integrity as an included principle. This principle does not apply to a service organization that provides a software solution for user entities to perform these functions themselves.
Confidentiality addresses a service organization’s ability to protect information designated as confidential.
Privacy revolves around personal identifiable information that is collected, used, retained, disclosed, and disposed of to meet an entity’s objectives. Personal identifiable information is personal data that could be used to identify a person, such as their name, Social Security or driver’s license number, or home address. Service organizations, such as companies that provide software solutions that don’t process PII, have little reason to include the privacy principle in their audits.
In both a SOC 1 and SOC 2 report, an auditor presents her opinion on the fairness of the service organization’s presentation of the description, and the suitability of the design and operating effectiveness of the controls to achieve their objectives based on the organization’s description of them. An auditor will present one of three types of opinions.
- An Unqualified Opinion means the controls have been described fairly and accurately and operate effectively.
- A Qualified Opinion means the controls mainly adhere to the standards but fall short in some areas.
- An Adverse Opinion means the service organization failed in one or more standards. This is typically seen as a failing grade.
Like the SOC 2 report, the SOC 3 is based on the Trust Services Principles. While both the SOC 1 and Soc 2 reports have a “Restricted Use” section, SOC 3 reports are created to be freely distributed and posted on company websites as a seal of approval, lasting for one full calendar year from the date of issue.
SOC 1 and SOC 2 reports are intended solely for the use of management of the service organization, its user entities and their auditors.