An auditing tool to review the trustworthiness of an organization and its systems, a System and Organization Controls (SOC) Report is an independent, third-party validation of a service organization’s commitment to evidencing the design and effective operation of its controls.
In the short span of six months between November of 2023 and April of 2024, there were 2741 publicly disclosed data breach incidents in the United States, according to IT Governance USA. Businesses have never been under more pressure to prove to customers that they can be trusted to enact proper data security and privacy controls. This is where SOC reports come into play.
Typically a way to verify that an organization is following specific best practices before a business function is outsourced to them, SOC reports have become a vital part of transparent and safe business practices. Getting the most value from a SOC report, however, often rests on being able to pick the best type for your business. That’s why we’ve put together this article outlining not only what a basic SOC report is, but the different types and how best to make use of each - whether you’re worried about supply chains or cybersecurity.
Contents
System and Organization Controls (SOC) reports are governed by the American Institute of Certified Public Accountants (AICPA). This means that they can only be performed by approved, independent specialists and have to adhere to the AICPA’s framework. If that sounds serious, it’s because it is.
SOC reports are designed to check that businesses have established the appropriate systems and controls to protect their client’s assets. From a cyber security standpoint, this generally focuses on client or customer data privacy. It’s why SOC reports are also often referred to as “trustworthiness audits.”
No matter what type of SOC report a business commissions, however, it will usually include:
Though there are basic factors that are common across all SOC reports, they can vary quite widely in terms of scope. Each type evaluates a slightly different angle of a business’s system and organization controls and, as such, offers different benefits.
Often mistaken for a financial audit because it pertains to financial reporting, a SOC 1 report focuses on the controls that affect the entire financial reporting process in an organization. It looks at both the internal systems that are meant to prevent transaction and financial reporting errors, as well as any outsourced services that affect this area.
There are two types of SOC 1 reports. Type 1 tests the controls just once, whereas Type 2 performs testing over a longer period to show the overall operating effectiveness of business processes and IT controls related to financial reporting.
SOC 1 reports are relevant to any organization that provides financial reporting services or could impact the financial audit of another business. It’s most commonly used by accounting firms, investment advisers, loan servicers, and other entities in the financial sector.
Where SOC 1 focuses on organizations requiring oversight of financial controls, SOC 2 audits evaluate controls across five key Trust Services Criteria, calibrated to specific service commitments and Service Level Agreements demonstrating an organization’s dedication to maintaining high standards of data management.
To prove an organization’s ability to securely manage the data it collects from its customers and uses during business operations, any business handling sensitive client or customer data will likely benefit from a SOC 2 report. Every SOC 2 has to include the testing of:
1. Security: Security Controls to check if it’s properly protected against unauthorized access or modification, but there are four other Trust Services Criteria” this type of SOC report can include as well:
2. Privacy: Privacy as it relates to how personal information is collected, used, and retained, disclosed, and disposed of in accordance with pre-stated policies. Although the Confidentiality category applies to any sensitive information, the privacy category applies only to personal information.
3. Availability: Whether or not an organization’s system is available for operation and in use as it’s committed to be.
4. Confidentiality: If confidential information is being properly protected or handled.
5. Processing Integrity: The processing integrity of a businesses's systems.
Most SOC 2 reports will include at least a few of these added attestation criteria over and above the basic security requirement. Which ones are chosen, however, depends on the business. For example, a business that stores extensive data would benefit from including privacy in its report.
As with the two types of SOC 1 reports, SOC 2 can also be broken down into two further types according to how long controls are tested for. A SOC 2 Type 1 report will only test the relevant trust services at a single point whereas Type 2 will look at how these controls are functioning over a long period.
A SOC 3 report is essentially a public version of a SOC 2 Type 2 report, providing a summary of the SOC 2 attestation report that’s suitable for the general public. It’s used to build trust with customers and clients by presenting a high-level summary of how security and other trust service criteria are functioning over time. The key difference between SOC 2 and SOC 3 is that a SOC 2 report is a restricted use report while a SOC 3 report is a general use report that can be distributed freely. Both reports are attestation examinations conducted per the SSAE 18 Standard, specifically sections AT-C 105 and 205, governed by the AICPA.
SOC 3 reports cover SOC 2 results, tailored to a general audience. The level of detail is lesser as SOC 3 Type 2 reports do not include detailed descriptions of the auditor’s control tests, test procedures, or test results. They do contain the auditor’s opinion, management assertion, and system description. Typically, organizations that need a SOC 3 report are organizations that require a SOC 2 report who want to use compliance for marketing that is suitable for the public, and not those looking to satisfy specific needs from customers or auditors. SOC 2 offers both Type I and Type II reports, where SOC 3 reports are always Type II reports.
The average cost of a data breach is $4.8 million dollars, per Statista. Much of that cost has to do with the loss of customer trust that often comes as a result. In 2017, the AICPA introduced a SOC for Cybersecurity report in response to increased concerns around cyber-attacks. Unlike a SOC 2 report which takes a more general look at security, a SOC for Cybersecurity report focuses specifically on a business’s cybersecurity defense systems and risk management.
Sometimes a SOC for Cybersecurity report will use the same trust services criteria as a SOC 2 report, but there are other approaches too, such as the use of description criteria and control criteria. The most important aspect is simply testing the efficacy of the cybersecurity controls in place and whether they meet the business’s objectives and agreed upon parameters.
Because cybersecurity is a concern for all businesses these days, this kind of SOC report is relevant to all organizations. It provides vital information to both internal and external stakeholders on how well-protected an organization is from cybersecurity threats which in turn affects decisions regarding how data is handled.
Designed to address the needs and risks of organizations that have an increased interdependence on suppliers and distributors, including software companies, a SOC for Supply Chain Report offers transparency into how companies are addressing risks within their supply chain. Suppliers describe their environment and identify the applicable controls they’ve implemented to eliminate relevant risks and enhance supply chain resilience.
Supply chain transparency has become increasingly important in recent years as ESG (environmental, social, and governance) regulations have ramped up. Issues with global supply chain disruptions, security breaches and even changes to consumer privacy regulations have also brought greater scrutiny to this area of business.
It’s no surprise then that the AICPA has developed a SOC report focused specifically on supply chain management, risk mitigation, and the overall effectiveness of controls across these operations. It uses the same trust chain examination criteria as a SOC 2 report and is best suited to businesses that manufacture, distribute, or ship goods in any way.
Both SOC 1 and SOC 2 have the option of a Type 1 or Type 2 report. Choosing which to commission comes down to multiple factors. Let’s take a closer look:
Type 1: A Type 1 SOC report looks at the design and implementation success of policies and processes based on point-in-time testing. It provides a quick snapshot of how things are performing and, as such, requires far less effort or time than a Type 2 report. It’s low cost, great for businesses that maybe don’t yet have the necessary budget for anything greater, and can still provide a useful trust report.
Type 2: This looks at the same basic aspects as a Type 1 SOC report but does so over time to paint a more robust picture of the operational effectiveness of say, privacy measures. It’s far more in-depth and the sample testing involved means that a Type 2 report takes longer and is more expensive. That said, for companies that have the available budget and want to build trust in their operational efficiency, it can be hugely beneficial.
Choosing between these two reports ultimately comes down to the size and resources of a business. Bigger organizations will likely need the depth of a Type 2 report to prove adherence to criteria in scope over time whereas smaller businesses may get just what they need from a Type 1. However, a Type 1 report will always have gaps in it. If you’re looking for true transparency, a Type 2 report will usually provide a more satisfactory and comprehensive audit.
Each of us values different things when it comes to trust. Choosing the right SOC report comes down to listening to what it is your clients, customers and stakeholders value most when judging the trustworthiness of your business. Their primary concerns can then guide which SOC report to perform.
The industry you’re in also plays a role. A shipping company will benefit hugely from a SOC for Supply Chain report whereas an accounting firm should opt for a SOC 1 report.
To summarize, when picking the right SOC report, consider:
The only SOC report that tends to be universally applicable is a SOC for cybersecurity. That’s because as long as your organization has some kind of digital aspect, a cybersecurity audit will always be relevant.
At Prescient Security, we offer auditing services for a variety of SOC report types including SOC 1, SOC 2, and SOC 3. We can also help you choose the best report type for your needs. If you’re unsure which combination of trust services criteria to cover for a SOC 2, we can help you pick the best to align with your service commitments and SLAs.
Our specialty, however, is cybersecurity. Our CPA team is equipped with extensive cyber security knowledge that goes far beyond typical assurance and compliance needs. We help businesses integrate cyber security standards into their operations so that trust is enhanced and your systems are better protected in the long run, fortifying your organization's security posture and strengthening your security strategy.