– Understand the different types of SOC reports and what they cover
– Learn why an organization would request a SOC report
– Recognize the key elements in a SOC report
After attending this
presentation, participants
will be able to:
3
– Service organization
– User organization
– Service auditor
– User auditor
– Subservice organization
– CUEC
– CSOC
– Type 1
– Type 2
“SOC” report =
System and Organization
Control report
55
– SOC 1
– SOC 2
– SOC 3
– SOC for cybersecurity
– SOC for supply chain
– SOC 2+
What are the different
types of SOC reports?
7
SOC 1
Control objectives and
control activities
relevant to internal
controls over financial
reporting (ICFRs)
8
SOC 2
Utilizes the Trust
Services Criteria
9
SOC 3
Similar to a SOC 2,
but for broader
distribution
(uncommon)
12
SOC for
cybersecurity
Reports on an
organization’s
cybersecurity program
13
SOC for
supply chain
Currently under
development by the
AICPA
14
SOC 2+
Allows the addition of
“other suitable criteria”
such as HIPAA,
HITRUST, etc.
15
Drivers of SOC reports
17
Increased number and complexity
of vendor relationships
Inability to identify relevant
risks by vendor
Increased
momentum for
stronger
vendor risk
management
Key organizational initiatives
involve strategic partnerships
Increased frequency and
magnitude of cyber attacks
Regulatory focus on vendors
as component of enterprise
risk management
Executive accountability by
boards for managing risks
Internal External
SOC reporting options
The “best” option is subjective, based on the nature and risks of
outsourced services and user entity requests
Q: Which type of SOC examination report
should a service organization provide?
A: Typically, there isn’t a “right” answer
and the type of report is based on
what their clients are asking for.
18
a) We utilize a service provider but they do not provide us with a SOC report
b) We receive a SOC 1 from our service provider
c) We receive a SOC 2 from our service provider
d) We receive both a SOC 1 and SOC 2
e) Not applicable or not sure
Do you utilize a service
provider and do they provide
you with a SOC report?
22
Polling question #2
There are 5 sections
25
– Opinion covers:
- Fairness of presentation
- Design of controls
- For Type 2 – test of operating effectiveness over a period of time
– Qualification
- SOC 1 is qualified at the objective level
- SOC 2 is qualified at the criteria level
- Pervasiveness of failure and presence of compensating controls help determine qualification
– Subservice providers
– Reference to Section 5
– CUECs
Section 1 – Opinion
26
– Similar to opinion
– Fairness of presentation
– Design
– Operating effectiveness
Section 2 – Management’s
Assertion
27
– Overview of operations
– System description/components/transaction processing
– COSO components – relevant aspects of:
- Control environment
- Risk assessment
- Monitoring
- Information and communication
– Complementary user entity controls
– Description criteria (if applicable)
Section 3
28
– Includes the service organization’s control activities to address the control objectives (SOC 1) or the Trust Services Principle(s) criteria (SOC 2)
– Includes the service auditor’s tests of controls
– Includes test results
– The “meat” of the report
Section 4 – Controls
matrix, testing, results
29
– Management responses to testing exceptions
– Disaster recovery
– Not covered by opinion
– Must be disclaimed in opinion
Section 5 – Other
information provided by
management
30