What are SOC services in relation to service organization control audits? SOC services, in this context, refers to System and Organization Controls (SOC) and the suite of services CPA firms provide for auditing these controls at a service organization. These audits are referred to as SOC audits. There are several different kinds of SOC audits that can be performed and it can be confusing to users when understanding what their options are. In this article, we will provide a roadmap for understanding what SOC services are and the basics of the different SOC audits.
What is Service and Organization Control (SOC)?
System and Organization Controls (SOC) is a common phrase used by CPAs and service organizations to refer to system-level and entity-level controls at a service organization. A service organization provides services to other entities and they have system and organization controls in place which make up the organization’s internal control environment. Examples of these control areas are logical access, change management, and system operations, to name a few.
As a service organization, it is important to have controls in place to demonstrate to customers the control points within the system and organization. By having a strong control environment, service organizations can demonstrate why they should be trusted to serve their customers and differentiate themselves from competitors. In order to reduce the number of times a service organization is audited by its customers, the organization can obtain a SOC report to provide to their customers. Based on the services provided by the organization and the needs of the customer, the type of SOC report needed can be determined.
SOC Services
A CPA firm, such as Linford & Company LLP, can provide a suite of services related to SOC auditing that assist service organizations in meeting their customers’ needs. A SOC audit is performed in accordance with the AICPA and a SOC report is the deliverable provided to the organization at the end of a SOC audit.
Currently, CPA firms can perform several different SOC audits; SOC 1, SOC 2, SOC 3, or SOC for Cyber Security. Depending on the type of SOC report, it can contain the service auditor’s opinion, a description of the system being audited, the controls in place at the organization that were tested by the service auditor and whether they were designed (Type I) and operating (Type II) effectively. See our article on Type I vs Type II reports for more information.
What is the Difference Between SOC 1, SOC 2, SOC 3 and SOC for Cyber Security reports?
Often times, service organizations are unsure as to which SOC report is the right report for them. Service organizations can leave it up to their customers to request the report they need, but a CPA firm can also be used to assist the organization in deciding which report is appropriate.
SOC 1:
A SOC 1 report is used when the services provided by the organization impact the customer’s financial statements, also referred to as Internal Control over Financial Reporting (ICFR). For example, payroll processing. In most cases, your customer’s financial auditor requires this report in order to complete the financial audit. Refer to our website for further information regarding SOC 1 reports.
SOC 2:
A SOC 2 report is meant to meet the needs of a broader range of users and they detail the controls in place at an organization relevant to security, availability, processing integrity, confidentiality, and/or privacy. These five criteria are referred to as the Trust Service Criteria (TSC) and not all criteria have to be included in a SOC 2 report. The only required criteria is security, which is referred to as the common criteria. Based on the services provided by the organization and the needs of its customers, other TSCs can be added. Refer to our article for more information on the Trust Services Criteria. Refer to our website for further information regarding SOC 2 reports.
SOC 3:
A SOC 3 report is less common than SOC 1 and SOC 2 reports. SOC 3 reports include the TSCs covered in a SOC 2 report; security, availability, processing integrity, confidentiality, and/or privacy. But a SOC 3 report does not contain the service auditor’s opinion, a detailed description of the system, the service auditor’s tests of controls and the results of those tests. This makes SOC 3 reports general use reports rather than restricted use reports like SOC 1 and SOC 2 reports. Typically, SOC 3 reports are not necessary for organizations but are used more for marketing as they can be freely distributed.
SOC for Cybersecurity:
SOC for Cyber Security is a relatively new reporting framework created so organizations can communicate information to users regarding the effectiveness of their cybersecurity risk management program. This report is used by companies to show their customers how they are addressing cybersecurity and managing threats. See this article on Cybersecurity Risk Management for further information.
What is SOC Compliance?
Being SOC compliant means your organization has undergone one of the SOC audits detailed above and the controls are designed (Type I) and operating effectively (Type II). In order to become SOC compliant, a service organization should reach out to a CPA firm to assist them with the process.
At Linford & Co., we assist organizations with obtaining SOC compliance by helping them determine which SOC report is right for them and performing a readiness assessment prior to the audit in order to set the organization up for success. Once a service organization is SOC compliant, they will need to maintain this compliance by performing a SOC audit at least annually, depending on the period being covered.
Summary
The SOC suite of services can be confusing, especially when you aren’t sure what the difference between the services are, and what is right for your organization. CPA firms like Linford & Co. are here to help. With the suite of SOC services available – SOC 1, SOC 2, SOC 3 and SOC for Cyber Security – there is almost always an option that works for every service organization. It is important to have a strong internal control environment that your customers can rely on and we can help you demonstrate that and become SOC compliant.
If you have further questions on SOC audits and the services we provide, please contact us to request a consultation.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.