Exploring the Different Categories and Types of SOC Reports
In the first part of our series, we delved into the fundamentals of Service Organization Control (SOC) reports as defined by the AICPA and why they are important for certain service providers. Now, we will explore the different categories and types of SOC reports: SOC 1, SOC 2, and SOC 3. Our explanations of each, below, include examples of each SOC report’s specific use cases. At SingerLewak LLP, we are a national CPA firm, and we perform these types of audits regularly for our clients based on their customers’ specific assurance needs. These needs dictate the type of SOC report that is applicable for them, given their unique situation.
Keep in mind that even if your company is not a service provider that requires a SOC report, you may need to review SOC reports prepared for and furnished by your service providers as part of your vendor management program. It is important that companies understand the controls their service providers have in place and whether these controls are operating effectively, as well as whether the controls meet your standards. Just ask the countless businesses whose customer information has been leaked and/or have had their business operations disrupted through Cyber-attacks that could have been mitigated by better vendor management practices.
In fact, a recent ransomware attack in late 2023 of an IT managed services provider, caused roughly 60 credit unions to have operations adversely impacted by a service outage, in addition to their members’ sensitive data being accessed by the bad actor (*source: cybersecuritydive.com). To mitigate this sort of risk, it is important that you assess the information security controls and practices (in SOC reports, and through discovery) used by your vendors that have access to your most critical data. Our Business Informatics team can help you with these critical information security and vendor management assessments too, but we will focus on SOC reporting for this article.
Overview of the Different Categories of SOC Reports
SOC reports are designed to help organizations demonstrate their commitment to control activities pertaining to specific control objectives (in the case of a SOC 1), or Trust Services Criteria, established by the AICPAto evaluate and report on the suitability of the design and operating effectiveness of these controls (in the case of a SOC 2). The specific control objectives or trust services criteria vary based on the type of SOC report category required by the organization for use by its customers.
There are three primary categories of SOC reports:
- SOC 1: Focuses on internal controls over financial reporting (ICFR); typically expressed in the form of internal controls that are grouped together to support broader Control Objectives which are designed by the organization to most effectively secure and control information and processes.
- SOC 2: Evaluates controls that fall into categories promulgated by the AICPA, grouped into as many as five Trust Services Criteria domains: Security (default for SOC 2 reports), Availability, Processing Integrity, Confidentiality, and Privacy
- SOC 3: Provides a high-level summary of an organization’s controls for a more general audience and may be provided for public distribution.
Detailed Explanation of SOC 1, SOC 2, and SOC 3 Reports
SOC 1 Report:
- Purpose: SOC 1 reports are intended to provide assurance on the specific controls at a service organization that are determined to be relevant to a user entity’s financial reporting processes – think ICFR (internal controls over financial reporting) – representing internal controls designed to mitigate risks related to the preparation of reliable financial statements.
Report Types:
- Type 1: Assesses the design of controls at a specific point in time (involves a test of design).
- Type 2: Evaluates the operational effectiveness of controls over a period of time (involves a test of operating effectiveness).
Example Use Case: A payroll processing company, considered a service provider in this case, undergoes a SOC 1 Type 2 audit from a firm, such as SingerLewak LLP. The SOC 1 report provides assurance to the service provider’s clients who request the SOC audit report that their payroll data is processed in a control environment that was designed in a manner to mitigate the specified risks and support the elements typically required by financial statement auditors of the service provider’s client. Additionally, the SOC 1 type 2 report provides assurance that the specified controls were operating effectively over a period of time in relation to their description of the control environment and relevant processing controls.
SOC 2 Report:
Purpose: SOC 2 reports focus on controls related to the AICPA’s Trust Services Criteria listed earlier.
Report Types:
- Type 1: Reviews the design of controls at a specific point in time (test of design).
- Type 2: Tests the operational effectiveness of controls over a period of time (tests of operating effectiveness).
Example Use Case: A cloud-based ERP solutions provider completes a SOC 2 Type 2 audit, specific to security, availability, and processing integrity, to demonstrate to the solutions provider’s customers that it maintains appropriate controls in place to protect sensitive data, ensure service availability, and provides robust processing integrity of its customers’ data.
Note: both SOC1 and SOC2 reports include detailed descriptions of the services provided by the service provider, as well as the internal controls that support the Control Objectives, or the Trust Service Criteria, as may apply.
SOC 3 Report:
- Purpose: SOC 3 reports are intended for a broader audience. These reports provide a high-level overview of the service organization’s controls, without the detailed controls listing or testing results.
- Types: SOC 3 reports are type 2 by default and do not contain the optionality provided with other SOC report categories.
Example Use Case: A software-as-a-service (SaaS) company issues a SOC 3 audit report and publishes it (as allowed) on its website. The SOC 3 report is published by the SaaS company with the intention of demonstrating to its potential customers that it has a commitment to maintaining prudent internal control structures and processes. In the case of a SOC 3 audit report, the SaaS company does not have to publicly disclose the detailed controls or results from the testing of those controls.
Conclusion
By understanding both the different categories and types of SOC reports, organizations can choose the appropriate report(s) to meet their users’ (i.e., customers’) compliance and assurance needs. If you would like to further discuss the categories or types of SOC reports, or if you think that may need a SOC report in the future, please contact me at [email protected]. We are here to help!
Stay tuned for the next part of our SOC reporting series, which we will release in the weeks ahead. We will focus our next article on the SOC process – answering a common question from service providers: “Why are my customers asking for a SOC Audit Report? Do we need a SOC Audit Report?”
Sources cited:
* Credit unions recover from outages caused by third-party ransomware attack | Cybersecurity Dive