Effective SOC reporting: Understanding your company’s options

Organizations have a variety of third-party reporting options, raising key questions about the most effective means to convey the control environment in place to users. System and organization control (SOC) reports are designed by the American Institute of CPAs (AICPA) to communicate those controls, but organizations must understand which report to choose to help users assess the risks of outsourcing providers.

For example, a SOC 1 report focuses on internal controls over financial reporting, with a Type 1 report assessing the design and implementation of controls as of a point in time and a Type 2 report assessing the design and implementation as well as the operating effectiveness of controls over a period of time. However, users are often more interested in security, availability, processing integrity, confidentiality or privacy. In these cases, a SOC 2 or SOC 3 report may be more appropriate.

In addition, with cyberthreats emerging and evolving each day, organizations are under pressure to document and detail their controls and capabilities to detect, deter and recover from cybersecurity events. In response, the AICPA has developed a SOC for cybersecurity reporting framework to help users gain a better understanding of an organization’s cybersecurity risk management efforts.

The following chart provides details on the objectives of and differences between each SOC reporting option:

With the importance of obtaining assurance beyond financial reporting risk, many service providers are being required to have a SOC 2 report in order to be considered as a business partner. Both SOC 2 and 3 reports require a detailed description of the system.

Components of the service organization system

The AICPA requires a service organization to describe all system components within its report. This description must be detailed enough to provide users with insight into all layers of technology within the organization, including:

Understanding SOC 2 and 3 options

When issuing a SOC 2 and 3 report, service organizations have the ability to perform one or many of the trust service categories based on the service they provide to user entities and the contractual obligations and commitments they have with customers.

The AICPA has developed a variety of different criteria that make up each category. While selecting a category beyond security is optional, once a service organization picks a category, every criteria must be achieved. Those criteria are predefined, so organizations know what compliance needs are required through their control activities.

The categories and criteria underwent several changes for 2017, reflecting a new focus on cybersecurity and an enhanced perspective on the data transaction life cycle. These changes were made to include COSO 2013 guidelines and emerging cybersecurity risks.

Trust service categories: What do we see in the marketplace?

While the security category is required, availability is the most popular of the other four, followed by confidentiality. In the last few years, confidentiality has gained significant momentum, as various regulations from different governing bodies and even large corporations have implemented new requirements for how service organizations must handle personally identifiable information (PII), protected health information (PHI) or other information that is deemed confidential.

Processing integrity is an applicable category if an organization processes a high-volume of information (e.g., a claims processor). However, these reports typically are similar in scope to a SOC 1 report, so many organizations that require processing integrity can likely rely on the SOC 1 information that has already been issued.

Privacy also requires a larger cost to a service organization both to prepare and be ready for an eventual attestation. A more significant amount of remediation is often involved with privacy and the cost to issue the report is substantial in comparison to the other criteria. In many cases, many aspects of the confidentiality principle overlap with privacy, and confidentiality may be the better fit for the organization.

Choosing and executing the right SOC report

Selecting the appropriate reporting options(s)

The first step in determining which SOC reporting option an organization should choose is to discuss the services offered. Do those services affect financial statements, or are they only managing applications, systems or data? Another key driver for SOC report selection is reviewing contractual obligations and requirements and determining the commitment to customers.

Service organizations also must understand the level of detail that is needed from a SOC report. The amount of detail is a key differentiator between SOC 2 and SOC 3 reports. Much of the work that goes behind SOC 2 and 3 reports are the same with the same set of categories, criteria and testing. However, a SOC 3 report is a very brief report, with very limited results, tests and controls shown.

Regarding presentation, the SOC 2, which is more common, is more in line with an SOC 1 report, providing a full description of an organization’s system. It has all of the controls in the organization and the testing and results for each individual control test.

Getting prepared for an SOC attestation

In addition to choosing a report, an organization must understand how to prepare for an attestation. An SOC readiness assessment can help in these efforts in several ways, including:

• Assisting in documenting management’s control activities
• Mapping those controls to either control objectives or criteria
• Assisting management in drafting the systems description
• Identifying potential gaps or observations in the control environment
• Providing detailed recommendations for remediation

The ultimate goal of a readiness assessment is for the service organization to determine if they are prepared for a future SOC attestation.

Types of SOC attestations

Many service organizations have difficulty differentiating the types of SOC attestations, their purpose and which is necessary. As mentioned earlier, SOC 1 and SOC 2 reports each have Type 1 and Type 2 reports, depending on specific needs. A Type 1 assessment is an attestation over the design and implementation of an organization’s controls as of a specific point in time. Alternatively, a Type 2 report is an attestation of the design, implementation and operating effectiveness of controls over a period of time.

The SOC reporting timeline

In our experience, SOC readiness engagements typically take between six and eight weeks and attestations are normally issued from 45–60 days after the report end date. We provide observations in real time, so the organization can begin remediation immediately. Once the readiness assessment is completed, it is management’s responsibility to remediate the issues that are identified. However, that time can vary depending on management’s availability and the necessary scope of changes. That should take place before a SOC 1 Type 2 or SOC 2 Type 2 report period begins.

Conclusion

On the surface, SOC reporting can seem like a complex initiative for service organizations. However, understanding the differences between reports and implementing the necessary steps to prepare for an attestation can greatly streamline the process. Ultimately, SOC reporting is a necessary initiative for businesses to understand and assess the control environments of business partners, and service organizations must implement steps to ensure the process is efficient and accurate, and the right reports are chosen and delivered.