– Understand the different types of SOC reports and what they cover

– Learn why an organization would request a SOC report

– Recognize the key elements in a SOC report

After attending this

presentation, participants

will be able to:

3

– Service organization

– User organization

– Service auditor

– User auditor

– Subservice organization

– CUEC

– CSOC

– Type 1

– Type 2

“SOC” report =

System and Organization

Control report

55

– SOC 1

– SOC 2

– SOC 3

– SOC for cybersecurity

– SOC for supply chain

– SOC 2+

What are the different

types of SOC reports?

7

SOC 1

Control objectives and

control activities

relevant to internal

controls over financial

reporting (ICFRs)

8

SOC 2

Utilizes the Trust

Services Criteria

9

SOC 3

Similar to a SOC 2,

but for broader

distribution

(uncommon)

12

SOC for

cybersecurity

Reports on an

organization’s

cybersecurity program

13

SOC for

supply chain

Currently under

development by the

AICPA

14

SOC 2+

Allows the addition of

“other suitable criteria”

such as HIPAA,

HITRUST, etc.

15

Drivers of SOC reports

17

Increased number and complexity

of vendor relationships

Inability to identify relevant

risks by vendor

Increased

momentum for

stronger

vendor risk

management

Key organizational initiatives

involve strategic partnerships

Increased frequency and

magnitude of cyber attacks

Regulatory focus on vendors

as component of enterprise

risk management

Executive accountability by

boards for managing risks

Internal External

SOC reporting options

The “best” option is subjective, based on the nature and risks of

outsourced services and user entity requests

Q: Which type of SOC examination report

should a service organization provide?

A: Typically, there isn’t a “right” answer

and the type of report is based on

what their clients are asking for.

18

a) We utilize a service provider but they do not provide us with a SOC report

b) We receive a SOC 1 from our service provider

c) We receive a SOC 2 from our service provider

d) We receive both a SOC 1 and SOC 2

e) Not applicable or not sure

Do you utilize a service

provider and do they provide

you with a SOC report?

22

Polling question #2

There are 5 sections

25

– Opinion covers:

- Fairness of presentation

- Design of controls

- For Type 2 – test of operating effectiveness over a period of time

– Qualification

- SOC 1 is qualified at the objective level

- SOC 2 is qualified at the criteria level

- Pervasiveness of failure and presence of compensating controls help determine qualification

– Subservice providers

– Reference to Section 5

– CUECs

Section 1 – Opinion

26

– Similar to opinion

– Fairness of presentation

– Design

– Operating effectiveness

Section 2 – Management’s

Assertion

27

– Overview of operations

– System description/components/transaction processing

– COSO components – relevant aspects of:

- Control environment

- Risk assessment

- Monitoring

- Information and communication

– Complementary user entity controls

– Description criteria (if applicable)

Section 3

28

– Includes the service organization’s control activities to address the control objectives (SOC 1) or the Trust Services Principle(s) criteria (SOC 2)

– Includes the service auditor’s tests of controls

– Includes test results

– The “meat” of the report

Section 4 – Controls

matrix, testing, results

29

– Management responses to testing exceptions

– Disaster recovery

– Not covered by opinion

– Must be disclaimed in opinion

Section 5 – Other

information provided by

management

30