What the SOC?
A service organization controls (SOC) report is a way to verify that an organization is following some specific best practices before you outsource a business function to that organization. These best practices are related to finances, security, processing integrity, privacy, and availability.
It is a standardized report that gives service providers a mechanism to deliver insight into the design and operating effectiveness of internal controls relevant to user entities (i.e., customers). There are three primary types of reports:
A SOC 1 is related to internal controls that impact financial reporting or internal controls of the customers of the service organization.
SOC 2 and SOC 3 are related to internal controls that impact system security or availability, processing integrity, confidentiality, or the privacy of customer data.
What type of SOC audit report is right for your organization?
- SOC 1 – Do you need to report to regulators on controls over financial reporting?
- SOC 2 – Does your company rely on vendors to process and safeguard your sensitive data—or are you a vendor entrusted with sensitive data? SOC 2 reports cover controls such as security and privacy and can be used by leaders in internal audit, risk management, operations, business lines, and IT, as well as regulators.
- SOC 3 – Do you need a more straightforward report to support your marketing purposes and to share with anyone?
SOC 1 reports look at internal control over financial reporting, which pertains to the application of checks-and-limits. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a third-party vendor’s accounting and financial controls. This is the metric of how well they keep up their books of accounts.
There are two types of SOC 1 reports — SOC 1 Type I and SOC 1 Type II. Type I pertains to the audit taken place at a point of time, that is, a specific single date. A Type II report is more rigorous and is based on the testing of controls over a duration of time. Type II reports’ metrics are always judged as more reliable as they pertain to the effectiveness of controls over a more extended period.
SOC 2 is a highly most sought-after report and a must if you are dealing with an IT vendor. A SOC 2 report is not an upgrade of a SOC 1 report. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC):
- Processing Integrity
A SOC 2 report is built around the definition of a consistent set of parameters around the IT services which a third party provides to you. If you require to have a metric of a vendor’s providence of private, confidential, available and secure IT services — then, you need to ask for an independently audited and assessed SOC 2 report. Like SOC 1, SOC 2 has two types — SOC 2 Type I and SOC 2 Type II.
Type I confirms that the controls exist. While Type II affirms that not just the controls are in place, but they actually work as well.
SOC 3 is not an upgrade over the SOC 2 report. It may have some of the components of SOC 2; still, it is very different. SOC 3 is a summarized report of the SOC 2 Type 2 report. So, yes, it is not as detailed as SOC 2 Type I report, or SOC 2 Type II reports are, but a SOC 3 report is designated to be a less technical and detailed audit report with a seal of approval which could be added up on the website of the vendor.
The SOC audit professionals at Lazarus Alliance are completely committed to you and your business’ compliance success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.