SOC Reports Overview

There are three different SOC reports available for service providers. To make it more confusing, there are two types of reports as well which we will discuss below. SOC 1 reports, are designed to provide assurance that a company’s internal controls over their client’s financial reporting are appropriate and operating effectively. If you provide a financial service to your clients (payroll provider, expense reimbursement, etc.) the SOC 1 report is right for you. SOC 2 reports are designed to provide assurance that a company’s internal controls over information security meets certain criteria and are designed and operating effectively. If you impact the security of your clients data in some way, the SOC 2 is right for you. A SOC 3 report is essentially a SOC 2 report without the detailed results, designed to be published publicly. If you want to provide public assurance of your information security without disclosing any internal details of your system, the SOC 3 is right for you. All SOC report standards are governed by the American Institute of Certified Public Accountants (AICPA) and issued by a Certified Public Accountant.

SOC 1 Type II

The SOC 1 Type II is typically the second report issued and is much more valuable external parties because it reports on the effectiveness of the controls in your organization over time. Are you doing what you said you’re doing? Do the policies match the actual operation of your company? Best practice dictates that the report cover a period of time of at least 6 months and no more than 12 months. The means Type II reports can’t be created in a short period of time. Typically the Type II audit review is scheduled 6-months after issuance of the Type I report. After a SOC 1 Type II report is issued, it is generally renewed on an annual basis.

Overview

It’s easy to get lost in all of the acronyms and “audit speak” around SOC 2 reports. Your customers may be already asking, “do you have a SOC 2?” To be more confusing, there are Type I and Type II versions, and five principles to consider with SOC 2. SOC 2 reports are generally best for companies that process or store information for customers. Maybe you’re a SaaS software startup, a multinational cloud company, or anything in between, the SOC 2 report is likely the best report for you.

Details

SOC 2 has become the standard way in the US, similar to ISO 27001 in Europe, for a service provider to provide information security assurance to their clients and partners. SOC 2 reports are designed to provide external entities such as customers, partners, and audit firms with assurance that a company’s information systems have the appropriate internal controls around one or more of the Trust Services Principles and Criteria (e.g. security, availability, processing integrity, confidentiality, or privacy). The common criteria, referred to as the security principle, is the required principle. The additional four principles; availability, processing integrity, and confidentiality are all optional. Unlike the SOC 1 report, SOC 2 reports have a defined set of principles and criteria that must be met in order to be compliant.

SOC 2 Type I

The SOC 2 Type I report is a report on compliance issued for a single point in time. While there is no requirement to perform a Type I before a Type II, it is typically the first step a company takes down the road of compliance. It provides an overview of your company and control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time of the audit. If a company is prepared, a Type I audit and report can be issued within a relatively short period of time; a key advantage. Type I reports are almost always just a stepping stone toward a SOC 2 Type II report.

SOC 2 Type II

The SOC 2 Type II report is the one that your customers and partners are after. It reports on the effectiveness of the controls within your company over time. Are you following all of your policies and procedures consitently? Have you implemented all of those security controls? It takes a commitment for a company to rise to the standard of a SOC 2 audit. The struggle of most companies is knowing what level of control is right for the company size. Per AICPA guidance, SOC 2 reports cover a period of at least 6 months and no more than one year. More recently, CPA’s have been willing to issue Tyoe II reports for a 90 day period for first-time audits. Planning ahead and getting started early is only way you’ll be able to meet the needs of your customers.