Today more than ever, companies rely on service providers to streamline day-to-day operations and ensure continued functionality. This is evident through the emergence of cloud computing, data centers, and software-as-a-service (SaaS) organizations. However, with the ease and convenience of these outsourced tasks comes some degree of inherent risk.
A key differentiator between service providers and their competitors is the ability to demonstrate the establishment and effective implementation of internal controls in relation to the services they provide. One easy way to provide this assurance for all key stakeholders is to undergo a System and Organization Controls (SOC) audit.
What is a SOC Report and Who Needs One?
In a nutshell, a SOC report is issued after a third-party auditor conducts a thorough examination of an organization to verify that they have an effective system of controls related to security, availability, processing integrity, confidentiality, and/or privacy. The report, which is issued by a Certified Public Accountant (CPA), provides reasonable assurance over the design and operating effectiveness of controls and clearly outlines any potential risks for customers or partners that are considering working with the organization.
To understand SOC lingo, there are a few key terms you will want to be familiar with:
- Service Organization – the organization that is being tested.
- User Entity – the organization that outsources a function to a service organization.
- Control – the auditable process or mechanism designed to prevent or detect risk.
Transparency is crucial when it comes to gaining the trust of another organization and its stakeholders, such as vendor compliance, internal audit, IT management, and legal departments. The success or failure of specific controls has a significant impact on the reputation, financial statements, and stability of the service organization.
Types of SOC Reports
Due to the diverse controls of various service organizations and the types of services they offer, the nature and extent of SOC reports differ greatly. The American Institute of CPAs (AICPA) outlines the major types of SOC reports, along with SOC for Cybersecurity and the new report, SOC for Supply Chains, which is still under development. However, SOC 1 and SOC 2 are the most commonly issued reports.
The SOC 1 report focuses on a service organization’s business process and information technology controls that might impact a user entity’s financial statements. This is referred to as internal controls over financial reporting (ICFR). Controls can be as simple as all systems require complex passwords and are restricted to authorized users or as complex as penetration testing which tests vulnerabilities within the systems. Examples of the types of service organizations that would receive a SOC 1 report include payroll processing, medical claims processing, and loan servicing companies.
There are two types of SOC 1 reports available, differing by the extent to which the controls need to be examined to create adequate user entity assurance.
Type I – often referred to as point-in-time reports, the controls within this type of audit are tested as of a specific date and include a description of the service organization’s system. Type I reports only test the design of a service organization’s controls, not the operating effectiveness. Most organizations receive a Type I report once and then transition to a Type II report.
Type II – this report covers a period of time (typically 12 months), includes a description of the service organization’s system, and tests the design and operating effectiveness of the controls.
Regardless of the type of SOC 1 report a service organization requires, it’s important for management to schedule the auditing process with enough time to provide appropriate coverage for the specific fiscal year of user entities.
SOC 1 Report Structure
A complete SOC 1 report contains five major sections:
- The Opinion Letter – this is where the auditor will outline the scope of the report, report as-of-date (Type I) or test period (Type II), depending on the type of audit that was conducted, and the opinion being issued.
- Management’s Assertion – this section includes management statements such as an assertion that the description of the system accurately reflects the system; the control objectives were suitably designed (Type I) or suitably designed and operating effectively (Type II); and elaboration of the criteria that was used to make the assertion.
- Description of the System – this section covers the supporting processes, policies, procedures, personnel, and operational activities that comprise the service organization’s service and might impact the user entity’s ICFR.
- Description of Tests of Control and Results of Testing – this is where the auditor describes the controls that were tested, the procedures implemented to test the controls and the results of the testing.
- Other Information – this section is not always included, but is sometimes added to provide additional information that is not covered by the auditor’s opinion.
While the SOC 1 report focuses on internal controls related to financial reporting, the SOC 2 report is directed toward non-financial controls. SOC 2 reports are important for organization oversight, vendor management programs, risk management processes, and regulatory oversight. The non-financial controls that make up the SOC 2 report are based on the five Trust Services Categories (TSC):
- Security – information and systems are protected against unauthorized physical and logical access that could affect the entity’s ability to meet its objectives.
- Availability – information and systems are available for operation and use as committed or agreed.
- Processing Integrity – information and systems processing is complete, accurate, timely, and authorized.
- Confidentiality – information that has been designated as confidential is protected to meet the user entity’s objectives.
- Privacy – personal information is collected, used, retained, disclosed, and destroyed in conformity with the user entity’s privacy notice.
Similar to the SOC 1 report, the SOC 2 report has the same structure and can be divided into Type I and Type II based on whether or not the control design and effectiveness need to be tested. Additionally, a SOC 2 report is often a prerequisite for service organizations to partner with tier-one organizations in the supply chain. Examples of the types of service organizations that would receive a SOC 2 report include data centers, SaaS, and network monitoring service providers.
How to Understand an Auditor’s Opinion
Once the testing process is complete, you will receive the report containing the auditor’s opinion, although the language of these reports can be tricky to understand. It is important to carefully review the report and understand the different types of opinions, paying close attention to the service organization’s controls that have the capacity to impact your business’s security.
Unqualified Opinion – Controls were designed effectively (Type I) or designed and operating effectively (Type II) to address the stated control objectives (SOC 1) or TSC (SOC 2).
Qualified Opinion – the auditor cannot deliver an unqualified opinion, but the qualified findings are not severe enough to warrant an adverse opinion. One or more control objectives (SOC 1) or TSC (SOC 2) were not effectively addressed.
Adverse Opinion – Testing exceptions are material and pervasive and controls are generally not designed and/or operating effectively.
Disclaimer Opinion – the auditor cannot deliver an official opinion because they were not able to obtain the necessary evidence required to develop an opinion.
The best outcome, for both the user entity and the service organization, is to receive an unqualified opinion. Reports that are concluded with any other type of opinion should elicit further examination and caution on the part of the user entity.
SOC reporting offers a comprehensive, repeatable reporting process to help establish trust and transparency between service organizations and stakeholders of user entities. By proactively identifying and addressing risk, businesses can ensure that contractual obligations are being addressed while reducing compliance costs upfront. If your organization is struggling to provide assurance around risk management and controls, our experienced team at K Financial can help.