We hear SOC reports/examinations referred to as certifications all the time. It can be confusing when we try to correct someone that is asking for a SOC “certification.” So are SOC reports certifications? The short answer is no.
There is no such thing as a SOC 1 certification or a SOC 2 certification or SSAE 16 certification (SSAE 16 is the previous standard for a SOC 1) or SSAE 18 certification (SSAE 18 is the current standard for both SOC 1 and SOC 2).
If a SOC Audit is not a Certification, What is it?
It is not a huge deal to refer to it as a certification, but technically speaking, SSAE 18 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), and SOC 1 uses AT-C Section 320 of this standard, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, and SOC 2 uses AT-C 105, Concepts Common to All Attestation Engagements and AT-C 205, Examination Engagements.
Auditors use these standards to perform an attest engagement for a service organization. This results in the issuance of a service auditor’s report on controls, not a certification. There is no designation, award, certification, confirmation, or any other type of special validation for the completion of a SOC 1 or SOC 2examination. The service organization receives a report from the service auditor with the results of the examination that they can then provide to any clients or prospects that are asking for the report.
How do you Refer to the Results of the Examination?
When asked how to refer to this type of examination, we at Linford & Company generally say that a service organization can say they underwent a SOC examination or a SOC audit and were issued a SOC report or SOC attestation report as a result of the examination. A service organization can expand on this to also say they were issued an unqualified opinion (if in fact, it was an unqualified opinion vs. a qualified opinion, which is stated in the section of the report with the service auditor’s opinion) or what we also refer to as a “clean” report (unqualified report).
There are approved logos from the AICPA that service organizations can put on their websites or on marketing materials to show they completed a SOC examination, but that is the extent of what is available outside of the report issued by the auditor.
What does a SOC Report Cover?
SOC 1: A SOC 1 examination focuses on a service organization’s controls that are relevant to an audit of a service organization’s client’s financial statements. The service organization, with the assistance of the service auditor, will figure out the key control objectives for the services provided to their clients. Control objectives will include both business processes and information technology process at the service organization. A SOC 1 Type I report includes a description of controls (design) at a service organization’s as of a specific date. A SOC 1 Type II report contains the same opinions on the design of controls, but it additionally includes an opinion on the operating effectiveness of controls over a period of time. The SOC 1 report addresses internal controls relevant to an audit of a service organization’s client’s financial statements. Readers of SOC 1 reports could include financial executives at a user organization, compliance officers, and financial auditors of the service organization.
SOC 2: A SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC). The available TSCs include security, availability, processing integrity, confidentiality, and privacy. The security TSC is the only required TSC as part of the SOC 2 examination. Controls meeting the TSCs included in the examination are identified and tested, versus in a SOC 1 examination where controls supporting the identified control objectives are tested.
For additional information on the available TSC’s please see the following blog posts:
A service organization can choose a SOC 2 report that focuses on just the security TSC or all five TSCs, or a combination or the five TSCs available. The readers of SOC 2 reports can also be an organization’s financial executives, compliance officers, and financial statement auditors, but can also include an organization’s information technology executives, business partners, regulators, or other business partners.
Summary
So while it is not a big deal to refer to these examinations as certifications, and we hear that a lot, it is always good to know the facts about what you are getting and what you are being asked for. If you are interested in getting additional information about SOC examinations, or any of the other services we provide, which include HIPAA, royalty auditing, HITRUST, and FedRAMP. please click on the following links: SOC 1, SOC 2, HIPAA audits, HITRUST, Royalty Audits, FedRAMP.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.