SOC Examination FAQs

A SOC 1 examination is designed to assess whether the internal controls of service organizations are
suitably designed and effectively operating to address financial reporting risks. SOC 1 reports are
typically performed for companies that provide a service (e.g., payroll, medical claims processing,
loan servicers and SaaS companies) with a financial reporting impact. SOC 1 reports are “restricted
use” reports commonly used by service organization customers, management and auditors.

There are two types of SOC 1 reports. Type 1 documents and describes controls as of a specific date.
It tests the design of controls but does not seek to evaluate their effectiveness. Type 2 reports cover
a specified period, usually at least three months, and not only describes internal controls, but also
evaluates how well they’re working.

SOC 2 examinations are designed to address a service organization’s controls as they relate
to the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria. The
Trust Services Criteria includes security, confidentiality, processing integrity, availability, and
privacy. SOC 2 reports are important to ensure organizational and regulatory oversight, vendor
management, internal corporate governance and risk management. SOC 2 reports are also used
by external stakeholders and those charged with governance.

Like SOC 1 examinations, there are two types of SOC 2 reports. Type 1 assesses whether the
system design and presentation are fair at a specific point in time. Type 2 also evaluates fairness
but also attests to how well the controls are operating over a period of time. A detailed chart is
available here.

SOC 3 examinations are less comprehensive and easier to read than SOC 2 examinations but
still focus on the Trust Services Criteria; specifically, controls associated with one or more Criteria
are evaluated. SOC 3 examinations are considered general use reports, usually accessible on
a company’s website, often used in marketing efforts and are ideal when external users don’t
need to understand the details or results of specific tests.

SOC 2 examinations are customized and fit the unique service controls that an organization wants
to better manage. The five Trust Services Criteria encompass the following controls and protections:

• Security: How system resources are protected against unauthorized access, like malware, theft,
  data misuse and more. For example: Two-factor authentication and firewalls.
• Confidentiality: How secure a system’s data is and who has access to it. For example: Financial and other personally identifiable information is restricted to certain users and only accessible with access controls.
• Processing Integrity: Whether and to what extent a system meets its purpose in terms of
  data processing. For example: Data is not unintentionally manipulated and delivered on time.
• Availability: How accessible systems, products or services are as determined by a contract or
  agreement. Both parties determine the minimum level of accessibility. For example: Network performance in the event of a data breach or site downtime.
• Privacy: How well a system complies with privacy rules and principles set forth by the AICPA,
  privacy notices and other regulatory guidelines. For example: Preventing unauthorized access to names, addresses and bank
  account numbers.

The main sections of a SOC 1 or SOC 2 report are: a description of the system at a point in time,
management assertion, auditor’s opinion, and in the case of a Type 2 report, a description of the
auditor’s tests of controls and test results. Management assertions and auditor’s opinions vary in
depth and scope according to whether it is a Type 1 or Type 2 report

A SOC for Cybersecurity examination is a reporting framework developed by the AICPA to help
organizations communicate to their stakeholders regarding the effectiveness of their cybersecurity
risk management programs. It is not a compliance requirement but rather a voluntary assessment
that provides assurance about an entity’s cybersecurity controls.

SOC for Vendor Supply Chain examinations, which were introduced in 2020, are performed for
organizations that produce, manufacture or distribute products to allow suppliers or service
providers to better understand the interconnected risks of supply chain relationships. These
examinations provide independent assurance on the effectiveness of controls over a company’s
production, manufacturing, or distribution processes. By identifying and mitigating risks related to
cybersecurity, fraud, quality control and regulatory compliance, businesses can enhance trust with
stakeholders, demonstrate strong risk management and boost operational integrity.

The two examinations have different purposes, and while there are several differences, the two
most notable ones are which organizations the examinations apply to and the examinations’
scope. While SOC 2 examinations are intended for service organizations, SOC for Cybersecurity
examinations can be performed on any type of organization.

Generally, a readiness assessment is simply management’s identification of gaps in controls and
suggestions for fixing them. The complexity of the upcoming SOC examination and current state
of control processes will dictate how intensive (or not) the readiness process will be; for example,
the organization may first need to identify which of the Trust Services Criteria will be included in
the examination, draft control descriptions, conduct process walk-throughs, map existing controls,
attempt to fix gaps in controls, test the results and more