Which SOC Examination to Choose

In today’s ever-changing business world, to create transparency, clients and prospective clients are requiring their service providers to obtain a Service Organization Control (SOC) Report as a vetting process in order to conduct business. But how do you decide which SOC report best suits your needs or your client’s needs? Before you decide you should understand the differences between each SOC reporting optionSOC 1 – (also referred to as an SSAE 16) provides information to customers about the service organizations control environment that may be relevant to their internal controls over financial reporting. An independent audit firm assesses and opines on the effectiveness of internal controls over financial reporting. Organizations that typically choose a SOC 1 examination:

  • Payroll Services
  • Collection Agencies
  • Printing and Mailing Services
  • Third-party Administrators

SOC 2 – provides customers and users with a business need with an independent assessment of the service organizations control environment and focuses on at least one of these five principles:

  • Security: The system is protected against both physical and logical unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.

The service organization can choose to complete a SOC 2 examination of any combination of the principles from one to all five depending on their relevance to the services it provides and the needs of its clients. Organizations that typically choose a SOC 2 examination:

  • Managed Service Providers / Data Centers
  • Software as a Service
  • Medical Records Management

After deciding which SOC report suits your organization now you have to decide which Type: Type 1: A design of controls report. This option evaluates and reports on the design of controls and its implementation as of a point in time. Type 2: Includes the design and testing of controls to report on the operational effectiveness of controls over a period of time. A Type 2 report also includes a detailed description of the tests performed and the results of those tests. Before you decide make sure you complete your due diligence and understand the differences between each SOC report and type. Should you wish to discuss which reporting option would be most appropriate for your organization, please do not hesitate to reach out to us and we would be glad to help you through the decision process.