Part 2 of 3: Understanding SOC Reports to Build Trust and Reduce Risk
By Zachary Ugol, Risk Management Consultant
As noted in our earlier blog, System and Organization Controls (SOC) can be helpful tool in establishing and maintaining trust between service providers and their customers. Yet there are still a lot of questions around SOC reporting: Which SOC report is right for my organization?
Which KIND of SOC report is right for my organization – SOC 1, SOC 2, SOC 3, or SOC for Cybersecurity?
Did you know there are four (4) kinds of SOC reports that each serve a unique purpose? Refer to the table below for a brief overview of the kinds of SOC reports available.
Comparing Different Kinds of SOC Reports
|SOC 1||SOC 2||SOC 3||SOC for Cybersecurity|
|Use||Used in Financial Statement Audits||Used in Compliance and Operations||Used in Marketing||Used in Compliance and Operations|
|Contents||Report on Internal Controls over Financial Reporting (ICFR)||Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy)||Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy)||Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy)|
|Guidelines||Performed in accordance with AICPA – SSAE18||Performed in accordance with AICPA – AT101||Performed in accordance with AICPA – AT101||Performed in accordance with AICPA – AT101|
|Restrictions||Restricted Use – limited to users of the service and their auditors||Restricted Use – limited to users of the service and their auditors||Unrestricted Use – can be distributed publicly||General Use – can be provided to general users|
While some of the reports seem similar, there are important distinctions between the various reports that must be considered when determining which report is right for your organization. For instance, a SOC 2 and a SOC for Cybersecurity are very similar, but the differences are significant. To help, the AICPA has developed a useful guide for understanding the key differences between these reports.
It is important for organizations to communicate with their service providers and have transparency related to their compliance requirements in order to determine which kind of report is right for the organization.
Which TYPE of SOC report is right for my organization – SOC report Type 1 or 2?
In addition to the kinds of SOC reports, there are two different types of SOC reports available. For example, there can be either a SOC 2 Type 1 or a SOC 2 Type 2. Refer to the table below for the differences between the types of SOC reports.
Comparing SOC Report Types
|Type 1||Type 2|
|Coverage||Evaluates the design of controls||Evaluates the design and operating effectiveness of controls|
|Duration||Performed at a point in time||Covers a period of time|
SOC Reports Build Trust and Reduce Risk
It is important for companies and service providers to understand and communicate all compliance requirements when determining which type of report is required. For instance, just because your organization provides or receives a SOC 2 Type 1, does not mean that you have the necessary information to meet compliance requirements. There are plenty of circumstances when a Type 2 report is required.
In order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to ensure the appropriate framework and reporting is being utilized.
Don’t miss our SOC Reporting blog series!
Check out our first SOC reporting blog on responsibilities and benefits of SOC reports.
Stay tuned for our next blog post in which we will highlight some of the important information included within SOC report as well as key questions to ask when reviewing the report. Follow us on LinkedIn, Facebook, and Twitter for updates.
Learn More: The Impact Makers Solution
Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.
For service providers, we help answer the following questions:
- Do I need to provide a SOC report to my customers?
- If so, what kind and type of SOC report?
For customers, we help answer:
- Do I need to request a SOC report from my service provider?
- If so, what kind and type of SOC report?
- If I already receive a SOC report, does the existing SOC report meet my compliance requirements?
To learn more, contact us.