SOC 1, 2, & 3 Audit Reports, and Why You Need One

By the Sarbanes–Oxley Act of 2002, public companies are made responsible for the maintenance of an effective system of controls over financial reporting. Such intense stress by the government for mitigating the risk over financial auditing and controls is the primary reason why the companies are not choosing such vendors which might negatively impact their compliance status.

As such, organizations are making their vendors obtain System and Organization Controls (SOC) attestation reports, as mandated by SSAE 16 and SSAE 18. 

A SOC report is a verifiable auditing report which is performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). It is a collection of offered services of a CPA concerning the systematic controls in a service organization. A SOC report tells us if financial audits are performed or not; if audits are done as per the controls defined by the serviced company or not; and the effectiveness of the audits performed.

In brief, a SOC report is the compendium of safeguards built within the control base of the data and is also a check if those safeguards work or not.   

If you are an organization which is regulated by the law, then you must be asking your vendors to provide a SOC report, as it becomes more critical for those vendors which you consider to be dealing with the high-risk operations of your business. 

Some of the vendors provide a SOC 1 report, while some give SOC 2. Sometimes it might also happen that some of the vendors provide a combination of both. Not just this, but SOC 3 reports too exist. The differences are vast and are not evident to those people for whom Systems and Organizational Control is an unfamiliar domain.

What does a SOC require, and should I pursue one?
There used to be SAS 70, that is, Statement on Auditing Standards (SAS) Number 70 for service organizations. It was a broadly accepted auditing standard developed by the American Institute of Certified Public Accountants (AICPA). There was a need for a more comprehensive system of evaluation to be conducted, which would be more than just an audit of financial statements. 

So SSAE 16 - the Statement on Standards for Attestation Engagements Number 16 - was issued by AICPA in April of 2010, which became effective in May of 2011. The Service Auditor’s Examination that was used to be conducted by CPAs under SAS 70 was then replaced with System and Organization Controls reports under SSAE 16.

Older SAS 70 and the SSAE 16 are very similar in many of the aspects, but the SSAE 16 also has numerous upgrades from the previous standard. The upgrades include the attestation issued by the company that confirms that the described controls are there and are fully functional. 

Public companies are also accountable to the Sarbanes–Oxley Act of 2002; a record-keeping and financial information disclosure standards law. SOC reporting, as mandated by SSAE 16, also helps companies comply with Sarbanes–Oxley Act’s section 404 to demonstrate successful internal controls regarding financial auditing and reporting.

In May 2017, AICPA superseded the SSAE 16 by the SSAE 18. SSAE 18 mandates a series of augmentations to increment the quality and application of SOC reports. This superseded version also contained the principles, regulations, and standards for the reporting of SOC.

Along the way, it also drafted the functions of the vendors as provided by the serviced organization. These minor but dominant changes made the SSAE 16 necessitate organizations to take up more and more ownership and control of their own controlling mechanizations. These controlling mechanizations proved instrumental in the identification, further classification, and management of the risks involved in vendor relationships with third-parties.  

What are SOC 1, SOC 2, and SOC 3 reports?

SOC 1 reports address a company's internal control over financial reporting, which pertains to the application of checks-and-limits. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a third-party vendor’s accounting and financial controls. It is the metric of how well they keep up their books of accounts.

There are two types of SOC 1 reports — SOC 1 Type I and SOC 1 Type II. Type I pertains to the audit taken place on a particular point of time, that is, a specific single date. While a Type II report is more rigorous and is based on the testing of controls over a duration of time. Type II reports’ metrics are always judged as more reliable as they pertain to the effectiveness of controls over a more extended period of time.

SOC 2 is the most sought-after report in this domain and a must if you are dealing with an IT vendor. It is quite common for people to believe that SOC 2 is some upgrade over the SOC 1, which is entirely untrue. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC):

  • Privacy
  • Confidentiality
  • Processing Integrity
  • Availability
  • Security

SOC 2 is built around the definition of a consistent set of parameters around the IT services which a third party provides to you. If you require to have a metric of a vendor’s providence of private, confidential, available, and secure IT services — then, you need to ask for an independently audited and assessed SOC 2 report. Like SOC 1, SOC 2 too has two types — SOC 2 Type I and SOC 2 Type II. 

Type I confirms that the controls exist. While Type II affirms that not just the controls are in place, but they actually work as well. Of course, SOC 2 Type II is a better representation of how well the vendor is doing for the protection and management of your data. But, the serviced party here has to be very clear about this that the SOC 2 Type II report is to be audited by an independent CPA.  

SOC 3 is not some kind of upgrade over the SOC 2 report. It may have some of the components of SOC 2; still, it is entirely a different ball game. SOC 3 is a summarized report of the SOC 2 Type 2 report. So, yes, it is not as detailed as SOC 2 Type I report, or SOC 2 Type II reports are, but a SOC 3 report is designated to be a less technical and detailed audit report with a seal of approval which could be put up on the website of the vendor.

Because it is less detailed and less technical, it might not contain the same level of vital intricacies of the business auditing which you might require. 

A business must request and analyze the SOC reports from your prospective vendors. It is an invaluable piece of information to make sure that adequate controls are put in place and the controls actually work in an effective manner.

Not just this, SOC reports — be it SOC 1, SOC 2, or SOC 3 — come very helpful in ensuring that your compliance with the regulatory expectations is up to the mark.

What’s Hot on Infosecurity Magazine?