Which SOC Examination is Right for Your Organization?

Does your organization need a SOC examination? If so, which one?

In today’s fast-paced and ever-changing business landscape, with a heavy focus on cybersecurity, more and more service providers are being required by clients or prospective clients to obtain a System and Organization Controls (SOC) examination to conduct business. If this sounds familiar and your organization is deciding if a SOC examination is right for you but you’re not sure where to start, let us help break it down for you.

Why is a SOC examination important?

A SOC examination is more than a requirement from a client. It provides transparency and ‘independent assurance’ over the service organization’s control environment. It assures not only clients but also internal stakeholders, partners, investors, and regulators that the service organization has designed and is effectively operating controls over time to properly process customer’s information, protect their data and maintain information security.

The SOC examination framework is flexible and customizable to meet many different objectives.  A SOC examination helps build trust and credibility, along with giving the service organization a competitive advantage in the market.  In addition to providing baseline assurance over information security, SOC reports can be expanded to optionally address processing integrity and specific business processing control objectives, privacy, confidentiality, availability, and even specific issues for supply chain participants. 

Which SOC examination to choose?

Now that we’ve established why a SOC examination is important and the flexibility it provides, let’s dive into the different SOC reporting options that are available from the American Institute of Certified Public Accountants (AICPA).  The SOC suite of services currently comprises the following individual reporting frameworks:

  1. SOC 1 — SOC for Service Organizations: Internal Controls over Financial Reporting (ICFR)
  2. SOC 2 — SOC for Service Organizations: Trust Services Criteria
  3. SOC 3 — SOC for Service Organizations: Trust Services Criteria for General Use Report
  4. SOC for Cybersecurity
  5. SOC for Supply Chain

Does your organization provide services that could impact the internal controls over financial reporting for your clients? Does your organization process or handle financial data critical to your clients’ who are publicly held (i.e. SEC filers)? If you answered yes to either (or both) of those questions, SOC 1 may be right for you. A SOC 1 provides assurance to your customers about the control environment that may have an impact on their internal controls over financial reporting. Typically, service organizations in the following industries provide a SOC 1 to their public-company customers subject to Sarbanes-Oxley annual filing requirements; however, this list is not all inclusive:

  • Accounts payable processors
  • Application service providers
  • Claims processors
  • Credit card payment processors
  • Defined contribution plan recordkeepers
  • Investment managers
  • Payroll processors
  • Transfer agents
  • Collection agencies

A SOC 1 is designed to address the design and operating effectiveness of controls outlined to meet specific control objectives that are unique to each service organization.  The SOC 1 report and its control objectives generally address the entity-level controls, business processing controls (manual and automated) and IT general controls that the service organization provides.  The AICPA SOC 1 guide has sample control objectives relevant to many of the industries noted above.

The SOC 2 is more specific than the SOC 1 and more relevant for service organizations that handle sensitive data or provide services related to the SOC 2 categories: security, availability, processing integrity, confidentiality, and privacy. The service organization can choose which combination of categories to include in their SOC 2 examination based on the nature of the services provided; however, the common criteria, security, must always be in scope for a SOC 2. Availability, processing integrity, confidentiality, and privacy may be included, depending on their relevance to the services provided. Typically, service organizations in the following industries opt for a SOC 2; however, this list is not all inclusive:
  • Managed IT service providers
  • Software as a Service (SaaS)
  • Cloud service providers
  • Healthcare providers
  • Legal and accounting firms
  • Government agencies
  • E-commerce Platforms
A SOC 2 is designed to address the design and operating effectiveness of controls outlined to meet the Trust Services Criteria, which is the common framework for all organizations that obtain a SOC 2.  Therefore, SOC 2 reports are much more similar from organization to organization than a SOC 1, which may be more unique to each organization.

A SOC 3 is designed to be used for external use. It provides a high-level overview of the service organization’s controls related to the SOC 2 categories in scope. It’s important to note that a SOC 3 can only be obtained in conjunction with a SOC 2 and contains the same scope as the SOC 2.  Whereas the SOC 2 is intended only for customers aware of the service organization, the SOC 3 can be broadly distributed is often used as a marketing tool and may be referred to as a truncated version of the SOC 2. For more information about how to market your SOC report, check out our insight article ‘Successfully Marketing Your SOC Report’ here.

SOC for Cybersecurity

Cybersecurity has become a top concern for boards of directors and senior executives of many entities, regardless of their size or the industry in which they operate. Government officials are also concerned about cybersecurity at governmental agencies and departments. For most entities, cybersecurity is a significant business risk that needs to be identified, assessed, and managed along with other business risks the entity faces, and it is management’s responsibility to ensure that all employees throughout the entity, not only those in the information technology department, address cybersecurity risks. The need for effective cybersecurity risk management programs is only going to increase in the foreseeable future.

The AICPA has developed a framework for organizations to describe their cybersecurity risk management programs and to be subject to a SOC for Cybersecurity examination on the effectiveness of controls within the program.   SOC for Cybersecurity uses a similar framework as the SOC 2, but is intended to be for a broader scope and broader distribution.

SOC for Supply Chain

Due to rapid technological advancement, the production, manufacturing, or distribution of products often involves a high level of interdependence and connectivity between the entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) its customers and business partners. These relationships are often considered part of the supply chain.  Accordingly, those suppliers, customers, and business partners are responsible for identifying, evaluating, and addressing those additional risks as part of their supply chain risk management programs.

To identify, assess, and address the risks arising from interactions between the entity and the system it uses to produce, manufacture, or distribute products; suppliers, customers, and business partners usually need information about the design, operation, and effectiveness of controls within the system. To support their risk assessments, suppliers, customers, or business partners may request an attestation report from the entity. Such a report is the result of SOC for Supply Chain engagement that enables users of the report to better understand and manage the risks arising from business relationships with their supplier and distribution networks

What Type of SOC Examination to Choose

Both the SOC 1 and the SOC 2 have two different types: Type 1 and Type 2. A Type 1 examination tests the suitability of the design of the controls in the service organization’s system, while a Type 2 examination tests the suitability of the design AND operating effectiveness of the controls. Type 1 examinations are a point-in-time audit versus Type 2, which assesses controls over a period of time. A Type 1 examination is often used by service organizations undergoing a SOC examination for the first time and can be used for internal benchmarking by comparing controls to industry standards. It is a steppingstone to obtaining the Type 2 report. A Type 2 examination offers a greater level of assurance by assessing the operating effectiveness of the controls over a period of time. That period of time can be dictated by the service organization based on client and organizational needs, but is often a 12-month period. If your organization is considering obtaining a SOC report but you’re not sure if you are ready, a readiness assessment can also be completed to determine where the gaps are in the control environment before undergoing a Type 1 or Type 2 examination. 

Making a Decision

Now that you understand the various options under the SOC Reporting framework that are available to you, it’s time to decide which option is best for your organization. As you are making a decision, it’s important to create a compliance strategy that includes all of your compliance needs. There are many circumstances where your organization may also need additional audits / certifications, such as ISO 27001 or PCI, in addition to the SOC examination. If you are wondering how to incorporate multiple audits in your compliance strategy, check out our insight article on creating efficiency and effectiveness by using one audit firm for multiple security and compliance audits here.

If you wish to further discuss which SOC examination makes most sense for your organization or how to create a comprehensive compliance strategy, AARC-360 is happy to help. Give us a call today to get started!

Authored By
Amberly McMillin (Associate Manager , AARC-360)