As outsourcing services becomes a more integral component of business operations across many industries, the need for SOC reporting grows. Data protection is of paramount importance in today’s connected landscape, especially when it comes to safeguarding financial statements and other sensitive information. However, the key to understanding and maintaining compliance is knowing the correct terminology and what a SOC audit actually entails. Here’s why the term “SOC certification” is incorrect and what you should be talking to your independent accountant about more.
What is a SOC Report?
When service organizations approach an accounting firm, they often ask for a SOC “certification.” It can be confusing to explain, but the short answer is that SOC reports are not certifications. In fact, there is no such thing as a SOC certification or certificate, given the nature of the auditing process and report. Let’s break it down a little further.
Service Organization Control (SOC) reports follow the attestation standards established by the American Institute of Certified Public Accounts (AICPA). The AICPA is widely recognized as the standard for accounting and auditing best practices and the organization has 418,000 members worldwide. Auditors use these standards to perform an attest engagement for a service organization, examining and testing their internal controls.
The type of SOC report that a service organization receives will largely depend on the services they offer. For example, companies that provide payroll processing for other businesses will need to prove their ability to protect financial information and ensure its completeness and accuracy whereas a company that provides cloud-based data storage will need to demonstrate the ability to defend sensitive data. Here are the main SOC report types available:
SOC 1: also known as an SSAE18 report, this type of audit addresses Internal Controls over Financial Reporting (ICFR). The control objectives relate to business processes and information technology. The SOC 1 report can be broken down into two categories: Type 1 and Type 2. A Type 1 report is conducted on a point in time and only examines the design effectiveness of the controls. A Type 2 report covers a set period of time (typically 12 months) and tests the design as well as the operating effectiveness of the internal controls.
SOC 2: this audit has nothing to do with financial reporting and instead focuses on controls related to operations and compliance. The controls are tested according to the five main Trust Services Categories: security, availability, processing integrity, confidentiality, and privacy. Similar to the SOC 1 report, a SOC 2 report can be issued as a Type 1 or Type 2, depending on the needs of the organization.
SOC 3: this type of report is much less common because it is intended to be shared with the public and therefore contains significantly less information. SOC 3 reports offer the same basic information provided in a SOC 2 report but with redacted details and are used primarily as a marketing tool for service organizations.
Purpose of a SOC Report
Upon the completion of an audit, the service auditor will issue a report on the controls, but that does not mean that any type of designation, confirmation, or certificate is awarded to the service organization. Essentially, the service organization will receive a report with the auditor’s opinion regarding the organization’s ability to adequately and efficiently safeguard its internal and client information. That report can then be shared with any clients or prospects that are considering working with the organization.
The reports are simply a summarization of the control design and, depending on the type of report being issued, the effectiveness of those controls. While the service auditor will include their opinion in the report, there is no “pass or fail” component and therefore no certification. SOC reports are intended to give service organizations vital insight into their system controls to determine whether or not more actions need to be taken to increase security measures.
Additionally, since most service organizations undergo SOC audits per the request of the companies who use their services (also known as user entities), these audits are conducted on a rolling basis. Typically, service organizations will follow the schedule of the user entity, according to the user entity’s fiscal year calendar. Routine testing is essential because technology develops rapidly and the standards that might have been acceptable a few years ago could be obsolete today.
How to Read the Results
As stated earlier, there is no certificate of passing when it comes to SOC reports, but the opinion issued in a report will give you a clear picture of a service organization’s security performance. However, without a clear understanding of the language used in these reports, it can be difficult to understand the end results. It is important to fully comprehend the auditor’s opinion so your organization can take the necessary steps to move forward and improve the design and effectiveness of controls where necessary.
Unqualified Opinion: depending on whether a Type 1 or Type 2 report was conducted, this opinion means that the controls were designed and/or operating effectively to address the stated control objectives.
Qualified Opinion: the auditor cannot deliver an unqualified opinion because one or more control objectives (SOC 1) or Trust Services Criteria (SOC 2) were not effectively addressed.
Adverse Opinion: testing exceptions are severe and controls are generally not designed and/or operating effectively.
Disclaimer Opinion: the auditor cannot deliver an official opinion because they were not able to obtain enough evidence required to develop an opinion.
In the case of SOC reports, the best result for the service organization and the user entity is for the auditor to issue an unqualified opinion. Any other results should mean service organizations will review their system controls to reach an unqualified opinion in the future.
Advanced SOC for Service Organizations
While SOC certificates for service organizations might not exist, companies certainly need to do their due diligence when finding an experienced, qualified auditor to conduct their engagements. This is where the Advanced SOC for Service Organizations Certificate can be incredibly valuable.
The Advanced SOC for Service Organizations exam is the only one of its kind and it is conducted by the AICPA. This certificate is only available to professionals who have advanced-level experience managing and leading SOC engagements and have passed the competency-based exam. Upon completion, the CPA receives a digital badge that they can display anywhere on the internet. The badge demonstrates the individual’s ability to conduct complicated SOC audits and it also signals reliability to prospective clients and employers.
Ultimately, while SOC certificates don’t exist, having a clear understanding of what a SOC audit entails will help service organizations know what to expect when they receive the final report with the auditor’s opinion. If you are interested in learning more about SOC examinations or SOC compliance, our experienced team at K Financial is happy to help. We provide a broad range of audit and attestation services so you can ensure your organization stays on the cutting edge of data security standards.