Benefits of SOC reporting

Service Organization Controls (SOC) reporting provides benefits to both service providers and their clients by providing assurance over established standards. SOC reporting provides transparency and trust in the outsourcing of significant processes and in working with third parties that handle sensitive data.

As companies continue to outsource critical functions, there is a growing need to address the lack of insight and trust in service providers' processes and controls.  SOC reports are essential for demonstrating that key risks are addressed, and controls are operating effectively for relevant business processes and information technology (IT). By obtaining an independent audit and opinion, service providers build trust with various stakeholders and help clients meet financial reporting and regulatory requirements.

In summary, independent assurance through SOC reports help to:

  • Provide transparency and build trust with existing customers and other stakeholders
  • Reduce inefficiencies and costs associated with conducting multiple customer audits and completing various vendor questionnaires
  • Establish a culture focused on addressing risks, implementing effective controls, and continuous improvement
  • Demonstrate compliance with Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and General Data Protection Regulation (GDPR)
  • Meet customer contractual obligations
  • Provide a recognized standard for assessing control across international borders
Checklist being checked off by a green marker

Snapshot: SOC 1 and SOC 2 reports

SOC 1 and SOC 2 reports are among the most common types of attestation reports due to their broad applicability across various industries and their focus on critical aspects of services provided by third parties.

SOC 1 vs. SOC 2

SOC 1: Internal Control Over Financial Reporting (ICFR)

  • Reports on controls at a service organization relevant to user entity’s ICFR
  • Generally, covers relevant IT general controls and outsourced business process controls

SOC 2: American Institute of Certified Public Accountants (AICPA) Trust Services Principles

  • Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy


Type 1 vs. Type 2

There are two options for each report, a Type 1 and a Type 2, depending on the time period covered and extent of testing performed:

Type 1

Reports on whether processes and controls are designed and implemented at a specific point in time

Type 2

Reports on whether processes and controls are designed and tested for operating effectiveness over a period of time

SOC examinations and related reports

What is the purpose?

To provide information to a user entity’s auditor regarding the controls at a service organization that may be relevant to a user entity’s ICFR (financial statement audit and SOX).

The objective is to give clients and their auditors confidence that the service organization has adequate controls in place to handle transactions and other activities that could affect financial reporting.

Who are the users of the report?

User entity financial statement auditor, management, and internal audit.

What are the typical relevant organizations?

Organizations that handle client financial or non-financial  information that impacts the financial statements or internal control over financial reporting.   

Examples often include IT infrastructure, payroll processors, plan recordkeepers, investment advisors, custodians, and loan servicers.

What is the purpose?

To provide users with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy in support of a user entity’s evaluation of its own systems of internal control.

A SOC 2 focuses on the required common criteria (security), incorporates one or more of the AICPA trust services principles and can integrate other industry-specific regulations and requirements. It is used primarily for vendor management programs, internal risk management processes and regulatory oversight.  

Who are the users of the report?

Management of the service organization and specified parties with sufficient knowledge and understanding of the service organization and internal controls (e.g., current and prospective customers, business partners, and regulators).

What are the typical relevant organizations?

Companies that obtain SOC 2 certification often handle sensitive customer data and operate in environments where data security and privacy are paramount.

Example organizations include data centers, cloud service providers, Software as a Service (SaaS) providers, health care providers, financial services, and background verification companies.

What is the purpose?

To provide interested parties with information about controls at the service organization that may affect the user entity’s security, availability, processing integrity, confidentiality, or privacy.


A SOC 3 is a simplified version of the SOC 2 report providing a summary of the information in a SOC 2 report but does not include detailed descriptions of the service organization’s system and controls.  It is used primarily for vendor due diligence.

Who are the users of the report?

General use for anyone with a need to understand a service organization’s controls.

What are the typical relevant organizations?

Similar organizations as a SOC 2 because a SOC 3 is a simplified version of the SOC 2 report and is intended for a general audience.

What is the purpose?

To provide intended users with useful information about an entity’s cybersecurity risk management program for making informed decisions.

Who are the users of the report?

Management, directors, analysts, investors, and others whose decisions might be impacted by the effectiveness of the entity’s cybersecurity risk management program.

What are the typical relevant organizations?

Any type of organization.

What is the purpose?

To provide specified parties with information about the controls arising from business relationships with suppliers and distribution networks.

Who are the users of the report?

Management and specified parties who have sufficient knowledge and understanding of the entity and its supply chain management program.

What are the typical relevant organizations?

An organization that produces, manufactures, or distributes products.

SOC reporting journey

Our experience has shown that SOC 1 and SOC 2 pre-assessment reviews followed by SOC attestation examinations are the most effective approach as they allow for early identification and remediation of control concerns to eliminate surprises during the reporting phase and to minimize disruptions to your team.

Phase 1: Pre-assessment
>
  • Understand the service organization’s needs and determine the framework to be used (Control Objectives (COs) for SOC 1 and the AICPA Trust Services Principles for SOC 2)
  • Gain an understanding of the service organization’s people, processes, systems, infrastructure and related existing controls
  • Map existing controls to the COs / Trust Services Criteria (TSC)
  • Identify subservice organizations to determine the appropriate method to be used regarding these entities (i.e., "carve-out method” or the “inclusive method”)
  • Assess the key controls to identify control gaps that may need to be remediated prior to the SOC report evaluation and issuance
  • Provide recommendations and leading practices for resolving control deficiencies and strengthening the control environment
Phase 2: Remediation and preparation performed by a service organization
>
  • A service organization:
    • Addresses control gaps identified in the pre-assessment
    • Performs the risk assessment
    • Finalizes management’s description of the system
Phase 3: SOC Type 1 examination
>
  • For a SOC 1, confirm that the control objectives and related controls are appropriate to be used as the basis for the SOC 1 Type 1 report
  • For a SOC 2, confirm the principles and criteria to be used to form the basis for the SOC 2 Type 1 report are appropriate
  • Provide feedback on management’s description of the system
  • Assess management’s risk assessment
  • Perform a walkthrough of controls to evaluate design
  • Issue the SOC 1 and/or SOC 2 Type 1 report(s)
  • Provide recommendations and leading practices for resolving control deficiencies, if any, and strengthening the control environment
Phase 4: SOC Type 2 examination
>
  • For a SOC 1, confirm that the control objectives and related controls are appropriate to be used as the basis for the SOC 1 Type 2 report
  • For a SOC 2, confirm the principles and criteria to be used to form the basis for the SOC 2 Type 2 report are appropriate
  • Assess management’s risk assessment
  • Perform a walk-through of controls to evaluate design
  • Perform sample-based tests to evaluate operating effectiveness of controls
  • Issue SOC 1 and/or SOC 2 Type 2 report(s)
  • Provide recommendations and leading practices for resolving control deficiencies, if any, and strengthening the control environment

Our approach

Experience

Our professionals have experience with various technologies, across multiple industries, and in testing controls to successfully execute a proven approach to SOC reporting.

Innovation

Diverse teams bring different perspective, skills and abilities.  Collaboration leads to more creative and effective ways to address client needs.

Integration

We are a trusted partner that integrates with client teams to foster a collaborative environment.

Knowledge

We understand the AICPA SOC attestation standards and have experience guiding companies through the examination process.

Our services

Advisory

Pre-assessment

Performed under the AICPA Consulting Standards, a SOC pre-assessment based on the relevant attestation framework, helps an organization prepare for the attestation. A pre-assessment offers recommendations for improvement and identifies control gaps prior to a SOC examination.

Icon - Elements Webflow Library - BRIX Templates

Attestation

SOC reporting

A SOC examination and related report, which is provided to customers and auditors, communicates the design and operating effectiveness of a service organization’s controls environment or is customized to meet specific industry or regulatory requirements.

Icon - Elements Webflow Library - BRIX Templates