Over the past decade, we have seen the rapid growth of many organizations outsourcing various functions to service providers and vendors. Such services may range from processing activities, customer support, infrastructure and networks, managed IT services…the list is endless. The growth in outsourced services has been accelerated by many factors – ranging from pressure to reduce operational costs, resolve a lack of internal expertise or resources to support the function, and the exponential rise of cloud-based technology.
When an organization (referred to as the “user entity”) subscribes to one of these outsourced services, they may be transmitting, storing, or processing sensitive company or customer data to the vendor (referred to as the “service organization”). To minimize the increased risk from a security breach and to address potential liability issues, user entities are demanding assurance about a service organization’s system.
To address these concerns, the AICPA (American Institute of Certified Public Accountants) created the SOC (System and Organization Controls), a suite of internal control reports which provide valuable insights to a user entity when assessing the controls and risks associated with an outsourced service. A SOC report is an audit which is independently performed by a Certified Public Accountant (CPA) designated by the AICPA. There are 3 different types of reports – SOC 1, SOC 2, and SOC 3.
To determine which report is the best fit for your organization’s objectives, it is essential to first understand the business drivers and your client’s needs.
SOC 1 – what is it?
SOC 1 reports are intended to demonstrate the effectiveness of internal controls at a service organization that are relevant to their client organization’s internal control over financial reporting (ICFR). ICFR refers to the procedures within an organization that are designed to reasonably ensure compliance with the COSO (Committee on Sponsoring Organizations) framework and to support the Sarbanes Oxley Act of 2002 (section 404) for publicly traded companies.
For the SOC 1, there are no set parameters which must be met, but rather a set of control objectives which must be defined to address the services being provided. This creates greater flexibility in designing control activities and identifying what should be tested as part of the independent examination.
The SOC 1 report has restricted use and can only be distributed to the user entities that rely on your services, or their auditors in the preparation of the financial statements.
SOC 2 – What is it?
SOC 2 reports are intended to assess a service organization’s controls that are relevant to its operations and compliance, as described in the AICPA’s Trust Services Criteria: security (the common criteria), availability, confidentiality, processing integrity, and privacy. A service organization can choose to be assessed against the security/common criteria only, or a combination of the five criteria.
Generally, the SOC 2 is the most-sought-after report by security professionals, as it is more prescriptive and provides a consistent set of parameters on which to evaluate service organizations. The SOC 2 cannot be freely distributed.
SOC 3 – What is it?
Like the SOC 2, the SOC 3 is based on the Trust Service Criteria with one major distinction – the SOC 3 is a summarized version of the SOC 2 which can be freely distributed to any interested parties with no restrictions. However, the SOC 3 only provides a cursory disclosure of the service organization’s environment and auditor’s report on control effectiveness. It is not intended to be technical and does not give a detailed description of the service organization’s controls, policies, or procedures as it relates to the Trust Services Criteria.
To determine which report your organization needs, here are key considerations to assist with the evaluation:
|Factors||SOC 1||SOC 2||SOC 3|
|Your services affect a client’s financial reporting obligations (ICFR)||✔|
|Your organization wants to demonstrate compliance to the Trust Services Criteria||✔||✔|
|What is your intended distribution?||Restricted use||Restricted use||Unrestricted use|
|Who is the intended audience?||User entity’s controllers, compliance officers, CFO, CIO, financial statement auditors||User entity’s controllers, compliance officers, CFO, CIO, executive management, regulators, and other relevant business partners||Any users seeking assurance about your organization’s system and controls|
|Provides a seal of approval on your website||✔|
There are instances when a service organization may get asked for a SOC 1 from some client, and a SOC 2/SOC 3 from other clients which can eat away at company resources and. These requests will vary, depending on the regulatory landscape or industry in which the clients or users operate.
This has created quite a financial and resource burden for many service organizations.