What is a SOC Audit?
A SOC (System and Organization Controls) report is a report on system controls at a service organization, or entity-level controls at other organizations, related to various types of subject matter. For example, this includes: controls that affect user entities’ financial reporting; controls that affect the security, availability, and processing integrity of the systems; or the confidentiality or privacy of the information processed for user entities’ clients. The content of the report will depend on the services being provided.
Over the years, the American Institute of Certified Public Accountants (AICPA) has added additional SOC offerings in what they now call the SOC Suite of Services. The suite includes SOC for Service Organizations (SOC 1, SOC 2, and SOC 3), SOC for Supply Chain (added in 2020), and SOC for Cybersecurity.
Is SOC and SSAE 16 or SSAE 18 the Same Thing?
All current SOC examinations fall under attestation standards within the Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. Prior to the middle of 2017, SSAE 16 was the standard followed. Prior to the update in the standard to SSAE 18, many people referred to a SOC 1 report as an SSAE 16 report.
With the update to the standard to SSAE 18, the AICPA provided additional guidance on how reports are referred to. Because SSAE 18 includes requirements for other attestation reports, and not just SOC examinations, the AICPA is expecting that SOC reports are referred to by the actual name of the report (i.e. SOC 1, SOC 2, or SOC 3) and NOT by the overall standard name. So, while SOC examinations do fall under SSAE 18, they are not SSAE 18 reports because that could have many different meanings and are actually a SOC 1, SOC 2, or SOC 3 report.
Who Needs a SOC Audit?
So how does a service organization know if they need a SOC examination? And if they do, how do they know which report to get [SOC 1 vs. SOC 2 vs. SOC 3, or a combination]? At Linford & Company, we often get this question from our customers and prospects. They wonder how long they can put it off, or if having the report will provide them some benefit that will outweigh the cost. The following are a few points to consider if you are looking into investing in a SOC report:
- Are you providing a service for clients? SOC engagements and reports are generally completed for service organizations. If you are providing significant services to clients, chances are they would be interested in the controls you have in place to protect them. Examples of service organizations that typically receive SOC reports include, but are not limited to: data centers, software as a service organizations, claims processing centers, payroll companies, and real estate title and closing companies.
- Are your existing clients asking for a SOC report? Generally, if a client is asking for a SOC report it is because their financial auditors have requested it. This is because they are looking for documentation around the controls you, as the service provider, have in place. Providing a SOC report shows what controls are in place and that an outside firm tested those controls. If a SOC report is not available to fulfill this request, there is a possibility that the client could send in their own auditors to test the controls that are in place.
- When proposing work for new clients, are clients asking if you have a SOC report? At Linford & Company, we have heard from many new or prospective clients that think they would be eliminated from the pool of service provider prospects just because they do not have a SOC report. While having the examination completed and a report generated can take some time, Linford & Company can provide you with a letter stating the engagement is in process once you engage our services.
- Do you want to have an edge over your competitors? If you are up against a competitor for a new client and only one of you has a SOC report, having a SOC report could give you the extra edge to win the work. Also, in industries where SOC reporting is just starting to gain traction, being one of the first to complete the examination and having a report to provide would be a definite advantage.
If any of these questions resonate, your organization probably needs a SOC report. So, which one do you need?
Which SOC Report Does my Organization Need?
We have clients and prospects ask us all the time about how to determine what type of report they need. While SOC 1 and SOC 2 examinations can have a lot of overlap on the coverage of the controls tested, there is a distinct difference in the focus of the reports. A SOC 1 examination focuses on the internal control at a service organization as it is relevant to the financial statements of a user entity.
A SOC 2 examination focuses on the service organization’s controls as they relate to the design and operating effectiveness against the Trust Services Criteria (TSC) defined by the AICPA. So for example, if you are a payroll processing company, a SOC 1 is likely the best option, as payroll would significantly impact the user entity’s financials. On the other hand, if you are a data center the SOC 2 is likely the best option as the financials are not directly impacted and the emphasis will be on meeting the criteria (i.e. security, availability, confidentiality, processing integrity, and privacy).
The other thing to consider when choosing the type of report is what clients are asking for. Sometimes clients will be very specific about whether they need a SOC 1 or a SOC 2. If clients are not asking specifically, the above information may help determine which report is needed by a service organization. A number of our clients need more than one report (i.e., a SOC 1 and a SOC 2 report), which is sometimes the best answer. Additional information on the differences between the reports are outlined in the next section.
What is the Difference Between a SOC 1, SOC 2, and SOC 3?
SOC 1 reports are specifically intended to meet the needs of the clients (more specifically the auditor/CPA of the client) of a service organization. The report is used by the client to evaluate the effect of the controls at the service organization on their (the service organization’s client) financial statements. The auditor/CPA of the client of the service organization will use the report to plan and perform their audit of the financial statements. These reports can be thought of as an auditor-to-auditor report.
SOC 2 and SOC 2+
SOC 2 reports can be used to meet the needs of clients of service organizations that need information and assurance about the controls at a service organization. These would be controls that impact the security, availability, and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. These reports can include from one to all five of the Trust Services Criteria (TSCs), which are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each report is required to include at least Security, which is also called the common criteria. For more info on the available criteria please see the following blog posts:
If there are additional frameworks that a service organization needs to demonstrate that they are in compliance with, a SOC 2+ examination can be performed. The SOC 2+ does not provide the certification or compliance for the additional framework, but rather just evidence that the framework can be complied with based on the controls audited as part of the examination. Common frameworks include NIST, HITRUST, GDPR, HIPAA, and many others.
SOC 3 reports also use Trust Services Criteria, though these reports are used by clients of service organizations that do not need the details of what was tested and how the testing was performed. The auditor is still required to perform the walkthroughs and testing that is included in a SOC 2 examination, the results of testing are just not disclosed in the SOC 3 report.
Additionally, AICPA has developed a SOC Toolkit for firms that perform SOC examinations and for their clients. The toolkit was developed to help firms navigate the ever-changing service area and help clients, prospects, and service organizations understand the benefits of SOC examinations.
The toolkit includes a number of free SOC resources and can be found at: http://www.aicpa.org/.
Are SOC Audits Required?
The answer to the question of whether SOC reports are required depends on what angle you are looking at the requirement from. There is no law or governing body that can come after a service organization if they do not undergo a SOC examination. There are no fines or penalties if one is not completed, and this is true regardless of the industry.
However, a service organization may have a client or prospect that requires a completed SOC examination in order for them to do business together. We have seen many instances where a contract will not be signed until a completed SOC examination is produced so the prospect can see the controls that the service organization has in place.
Are SOC Reports Public?
SOC 3 reports are general user reports and can, therefore, be freely distributed, while the SOC 1 and SOC 2 reports are restricted use and have to be requested by a client or prospect of the service organization.
Who can Perform SOC Audits?
SOC examinations must be completed by a licensed and current Certified Public Accounting (CPA) firm. Non-CPA firms are not authorized to perform SOC examinations and they will not be recognized by the AICPA, and users should not rely on the results of the examination. If a service organization is looking for an auditor to perform their SOC examination, they should first ensure that the firm is a CPA firm, and second that they have experience performing SOC examinations. Not every accounting firm should be performing SOC examinations, as the SOC guidance is specific and technical, and therefore should be performed by a firm and individuals with experience performing these examinations.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.