The ABCs of an SOC Report

March 4, 2015

If you provide a service to other companies, there is a very good chance you have been asked or will be asked if you have a Service Organization Control (SOC) report. These are sometimes also referred to as SSAE16 audits or in the past were referred to as SAS 70 reports.

If you have not been asked about these yet, are your customers and prospects asking you about your internal control environment? Or even auditing you via an on-site visit or questionnaire? Or have you seen these terms on a recent request for proposal (RFP) and didn’t know what they meant?

SOC reports evolved from a need for an internationally accepted standard in controls documentation. This need has grown consistently year over year, as companies rely more and more on outsourced business services. The reports are performed by independent third party auditors to give an objective evaluation of a company’s financial reporting, IT, operational and compliance controls.

Three different SOC reports were created to accommodate the different needs of users. The SOC 1 report is based on control objectives determined by the service organization which represent the activities that are relevant to the services they provide user entities. The SOC 2 report is based on established trust principles regarding: Security, Availability, Processing Integrity, Confidentiality and Privacy. The SOC 3 report is similar to a SOC 2 report, however the report does not contain a description of the tests and results and is more of a marketing tool.

  Who the users are Why  What
SOC 1 Users’ controller’s office and user auditors Audits of financial statements  Controls relevant to user financial reporting
SOC 2 Management
Regulators
Customers
Others
GRC programs
Oversight
Due diligence
Concerns regarding security, availability, processing integrity, confidentiality or privacy 
SOC 3 Any users with need for confidence in service organization’s controls Marketing purposes; detail not needed Seal and easy to read report on controls

Also, each SOC report has two different types: a Type 1 and a Type 2 report. The Type 1 report is for a specific point in time such as an as of date. Also, the Type 1 report evaluates the design effectiveness of the controls only (are there policies and procedures in place). The Type 2 report is for a period of time, such as January 1, 2014 – December 31, 2014. In addition, the Type 2 report evaluates not only the design of the controls, but also the operational effectiveness of the controls though sample testing.

 Type 1 Type 2
  • Specified point in time
  • Evaluates design effectiveness only
  • Period of time
  • Design evaluation and testing is performed
  • Most user organizations require this type

Please contact us at Schenck about these reports. We would be happy to walk you through the process and help you to gain a better understanding as to how this may pertain to your business.