SOC reporting is complicated.
Most organizations know about SOC reports because they need them, but don’t know much about them other than that. So how does your organization know what kind they need? What needs to be in the report? We see this confusion a lot with our clients. They come to us asking for a SOC report, but they aren’t sure about the specifics.
We can typically determine which type of SOC report(s) they need based on what their organization does and who is asking for the report.
However, it’s important for you to know more about these reports and what’s within each so you know what they are and what they’re doing for your organization; so keep reading to learn what they are, the different types, and more.
What Are SOC Reports?
SOC stands for Systems and Organization Controls. These were formerly known as Service Organization Control reports. They are a suite of reports that CPA firms can issue in connection with system-level controls at a service organization. There are several types of SOC reports including SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity.
In this blog post, we’ll mostly cover SOC 1 and SOC 2 as they are the most common.
Most organizations need them because they are legally required. However, there are a few other reasons too. Your organization will need to have SOC reports if:
They are contractually obligated by a client or third party organization.
They want to use their security reports for marketing and sales purposes to prove their trustworthiness as a company.
(At Craft Compliance, we’ve helped our clients select vendors and this has been a larger factor than you may think!)
They want to show stakeholders that they are organized and secure as a company.
Most organizations will need to have at least one type of SOC report done regularly.
Types Of SOC Reports
Again, there are several types of SOC reports, however SOC 1 and SOC 2 are the most common. There are also different attest reports that cover different subject matters, which we’ll get into below:
SOC 1 Reports:
A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C 320. SOC 1 reports cover financial reporting and financial statement audits. They are very flexible and based on the nature of what you do as an organization, so it is more subjective. Therefore, they primarily address internal controls relevant to the organization’s financial statements.
SOC 2 Reports:
A SOC 2 report also falls under the SSAE 18 standard, and is specifically addressed in sections AT-C 105 and AT-C 205. SOC 2 reports are for security, not financial, purposes. While SOC 1 is more subjective, SOC 2 is more prescriptive in terms of the objectives your organization has to meet. Therefore, they address an organization’s controls that are relevant to security governance, operations and compliance.
Within these different types of SOC reports, there are also two types of exams, type I and type II. Type I covers all relevant controls at a single point in time. Type II covers controls throughout a time period such as 3 months or 6 months. We recommend doing a Type II report, as it reflects better as an organization that you consistently perform controls (rather than just as of a single date), and ideally if your organization can maintain the necessary controls once, you should be able to keep performing controls.
SOC 3 Reports:
SOC 3 reports are much more uncommon for organizations. A SOC 3 is essentially a more brief version of a SOC 2 type II report. It is typically not necessary for an organization to get a SOC 3 report, as the organization can get a SOC 2 report and find the same details they would have in a SOC 3 and more.
So how do you determine which type of SOC report your organization needs? It truly depends on what your customers, vendors, investors, and stakeholders expect of you. There is some flexibility around the controls that can be included within an organization’s SOC report, so it’s important to determine what’s right for your organization. Our SOC reporting process at Craft Compliance begins with going through the organization’s relevant contracts and then addressing specific vendors, stakeholders, customers and security goals.
Looking For A SOC Auditor?
If you’re looking for a SOC auditor, make sure they meet the following standards:
Firstly, it has to be a CPA firm as the reports have to follow AICPA attestation standards. You’ll also want to find a CPA firm that’s reputable and ideally can help you with a readiness engagement and preparation for your report.
To do a SOC 1 report, the firm will need to understand the scope of reports, financial statement auditing, and the specific industry you’re working in. For SOC 2 reports, the firm will need to truly understand security and how to perform the security engagement to attestation standards. (From our experience, there are not a lot of auditors that are also good with security.)
At Craft Compliance, we bring experience in helping implement and audit not only SOC processes and controls, but also in helping security functions build and improve on the concepts covered in the report.
If you need support, you can work with experts (like us!) who can help you figure out what report(s) your organization needs and ensure they include everything needed so you pass with flying colors.