What are SOC Examinations?
A System and Organization Controls (SOC) report provides independent verification on third-party vendor, or service organization, systems and controls.
Leaders of service organizations have an opportunity to demonstrate trust and transparency with customers through SOC examinations. Committing to strong control systems is a safeguard for the organization as well as the businesses with which it works. Data security is a key component of SOC examinations and allows service organizations to not only address compliance but also show that they are vigilant over their customer’s data management.
What is a SOC 1 examination and what are the different types?
A SOC 1 examination is designed to assess whether the internal controls of service organizations are suitably designed and effectively operating to address financial reporting risks. SOC 1 reports are typically performed for companies that provide a service (e.g., payroll, medical claims processing, loan servicers and SaaS companies) with a financial reporting impact. SOC 1 reports are “restricted use” reports commonly used by service organization customers, management and auditors.
There are two types of SOC 1 reports. Type 1 documents and describes controls as of a specific date. It tests the design of controls but does not seek to evaluate their effectiveness. Type 2 reports cover a specified period, usually at least three months, and not only describes internal controls, but also evaluates how well they’re working.
What is a SOC 2 examination and what are the different types?
SOC 2 examinations are designed to address a service organization’s controls as they relate to the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria. The Trust Services Criteria includes security, confidentiality, processing integrity, availability, and privacy. SOC 2 reports are important to ensure organizational and regulatory oversight, vendor management, internal corporate governance and risk management. SOC 2 reports are also used by external stakeholders and those charged with governance.
Like SOC 1 examinations, there are two types of SOC 2 reports. Type 1 assesses whether the system design and presentation are fair at a specific point in time. Type 2 also evaluates fairness but also attests to how well the controls are operating over a period of time.
What is a SOC 3 examination?
SOC 3 examinations are less comprehensive and easier to read than SOC 2 examinations but still focus on the Trust Services Criteria; specifically, controls associated with one or more Criteria are evaluated. SOC 3 examinations are considered general use reports, usually accessible on a company’s website, often used in marketing efforts and are ideal when external users don’t need to understand the details or results of specific tests.
What are the Trust Services Criteria categories of a SOC 2 examination and what do they cover?
SOC 2 examinations are customized and fit the unique service controls that an organization wants to better manage. The five Trust Services Criteria encompass the following controls and protections:
- Security: How system resources are protected against unauthorized access, like malware, theft, data misuse and more.
For example: Two-factor authentication and firewalls. - Confidentiality: How secure a system’s data is and who has access to it. For example: Financial and other personally identifiable information is restricted to certain users and only accessible with access controls.
- Processing Integrity: Whether and to what extent a system meets its purpose in terms of data processing. For example: Data is not unintentionally manipulated and delivered on time.
- Availability: How accessible systems, products or services are as determined by a contract or agreement. Both parties determine the minimum level of accessibility. For example: Network performance in the event of a data breach or site downtime.
- Privacy: How well a system complies with privacy rules and principles set forth by the AICPA, privacy notices and other regulatory guidelines. For example: Preventing unauthorized access to names, addresses and bank account numbers.
What are the main sections of a SOC report?
The main sections of a SOC 1 or SOC 2 report are: a description of the system at a point in time, management assertion, auditor’s opinion, and in the case of a Type 2 report, a description of the auditor’s tests of controls and test results. Management assertions and auditor’s opinions vary in depth and scope according to whether it is a Type 1 or Type 2 report.
What is a SOC for Cybersecurity examination?
A SOC for Cybersecurity examination is a reporting framework developed by the AICPA to help organizations communicate to their stakeholders regarding the effectiveness of their cybersecurity risk management programs. It is not a compliance requirement but rather a voluntary assessment that provides assurance about an entity’s cybersecurity controls.
What is a SOC for Vendor Supply Chain examination?
SOC for Vendor Supply Chain examinations, which were introduced in 2020, are performed for organizations that produce, manufacture or distribute products to allow suppliers or service providers to better understand the interconnected risks of supply chain relationships. These examinations provide independent assurance on the effectiveness of controls over a company’s production, manufacturing, or distribution processes. By identifying and mitigating risks related to cybersecurity, fraud, quality control and regulatory compliance, businesses can enhance trust with stakeholders, demonstrate strong risk management and boost operational integrity.
How is SOC for Cybersecurity and a SOC 2 examination different?
The two examinations have different purposes, and while there are several differences, the two most notable ones are which organizations the examinations apply to and the examinations’ scope. While SOC 2 examinations are intended for service organizations, SOC for Cybersecurity examinations can be performed on any type of organization.