SOC 1, SOC 2 & SOC for Cybersecurity

There are times when management assesses the viability, cost savings and quality improvements associated with outsourcing certain functions to a third-party vendor. Many realize increased profitability by turning over certain functions such as data management, cloud computing, telecommunications, application development, and various payroll and accounting functions to a vendor. Not only do they typically have more experience but have already made important investments in systems, processes, and people, that are difficult to duplicate without great expense. While there are compelling benefits to such an arrangement, businesses need to ensure the proper safeguards exist to protect data. Although many contracts require certain protections, it’s often necessary to obtain an Independent Systems and Organization Control (SOC) Report. These reports provide the independent verification needed and required of vendors, or service organizations. To help clients, prospects, and others, Windham Brannon has provided a summary of SOC report types and their purposes below.

SOC Report Types

There are five general types of SOC reports, including:

  • SOC 1 Reports – This report is typically used by financial processing companies such as payroll, medical claims processing, loan-servicers, data centers, and software-as-a-service companies. A SOC 1 report is typically used to validate the service organization’s controls are suitably designed, or both suitably designed and operating effectively to address financial reporting risks. SOC 1 report results are not shared publicly and are typically shared with a customer’s management team and financial statement auditor. There are two types of SOC 1 reports including Type I and Type II.
    • Type I – This type of report is specifically designed to document and provide a description of controls as of a specific date.  Type I reports test the design of controls, but do not render an evaluation of effectiveness.
    • Type II – This type of report is designed to cover a period of time (typically 6 months or more) and includes not only a description of internal controls but attestation as to the operating effectiveness of these controls.
  •  SOC 2 Reports – This report is designed to address the service organization’s controls as they relate to the AICPA’s Trust Services Criteria. This includes availability, security, processing integrity, confidentiality and privacy. SOC 2 reports are essential to the oversight, governance and risk management processes.  There are two types of SOC 2 reports which are outlined below.
    • Type I – This type of report attests to the fairness of presentation the system description and the design of system controls at a specific point in time.
    • Type II – Similar to a Type I, this type reports on the fairness of presentation of the system description and design of controls, but also attests to the operating effectiveness of each. In addition, this report is conducted for a reporting period.
  • SOC 3 Reports – This report typically includes the same testing and analysis procedures leveraged in a SOC 2 report, but it omits information about the service organization’s control structure and the auditor’s test procedures and results. This is necessary as SOC 3 reports are meant for public distribution.
  • SOC for Cybersecurity – This report is designed to provide assurance about the service organization’s cybersecurity risk management program. An effective risk management program should provide reasonable assurance that material breaches are prevented, detected and remediated in a reasonable timeframe.
  • SOC for Supply Chain – This report is designed to provide assurance about the system used to produce, manufacture, or distribute products and the relevant controls. The report helps organizations communicate to their customers how they identify, assess, and manage risk in their supply chain.

SOC Readiness Assessment

If your service organization has never completed a SOC examination, the task may seem meticulous and overwhelming. That’s why Windham Brannon offers a SOC Readiness Assessment to evaluate and ensure that internal controls are sufficient before any SOC examinations take place. Using a risk-based approach, our team of experienced consultants and auditors can identify risk factors, uncover gaps in controls and provide a recommended action plan to help you be fully prepared for an upcoming SOC examination.

Contact Us

The different SOC report types are designed to give service organizations and their customers assurance about relevant controls. Ensuring your Atlanta company conducts the proper SOC report type is essential to meeting customer requirements and for future positioning. If you have questions about the information outlined above or have been asked to conduct a SOC report, Windham Brannon can help. For additional information call us at 404-898-2000 or click here to contact us. We look forward to speaking with you soon.