SOC audits — the acronym stands for “Systems and Organization Controls” — provide assurance on the effectiveness of internal controls at service organizations such as advisory firms, technology vendors, and other businesses. SOC reports come in several forms, most notably SOC 1 and SOC 2 reports.
Don’t let the similarity in their names fool you; SOC 1 and SOC 2 reports, and the steps a vendor must undertake to comply with each one, are starkly different.
Indeed, SOC 1 and 2 reports have only few things in common:
- Both are based on a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA), known as the Statement on Standards for Attestation Engagements 18 (SSAE-18, previously known as SSAE-16).
- Both reports address service organizations, rather than publicly traded companies.
- Both can generate Type I and Type II reports, which we’ll explain shortly.
Beyond those three basic points, SOC 1 and SOC 2 reports quickly part ways. They focus on different subjects, and involve different procedures.
Which type of SOC report your business should obtain depends on the nature of your organization, its needs, and what assurance you want — either from your vendors, or that you want to provide to clients. Often, companies will want both.
What Is SOC 1?
A SOC 1 report assesses the effectiveness of an organization’s internal control over financial reporting (ICFR). A SOC 1 audit, performed by a certified public accountant, will review the organization’s controls that affect the enterprise’s financial statements. The report answers questions such as: Are the internal controls well designed? Do they work, helping the organization to meet its financial goals?
These reports focus on entity-level controls (including data protection) over the service provider’s financial-statement assertions, to assure that it meets regulatory requirements for financial reporting.
Publicly held companies must engage in SOC 1 reporting to comply with the Sarbanes-Oxley Act, which requires publicly traded companies to maintain effective ICFR. SOC 1 reports provide assurance that if the company relies on third parties as part of its financial reporting processes, those organizations themselves have secure ICFR and won’t pose a risk to the company.
What Is SOC 2?
SOC 2 reports assess the effectiveness of an organization’s controls over data security, availability, processing integrity, confidentiality, or privacy. These elements comprise the five “trust services criteria” or “trust services principles.”
These reports address cybersecurity controls, including organizational oversight, vendor management, internal corporate governance and risk management, and regulatory oversight.
Service organizations such as software-as-a-service providers (SAAS), data center providers, and cloud computing hosts may provide SOC 2 reports to senior management, boards of directors, customers, regulators, business partners, and suppliers.
Types of SOC Reports
SOC 1 and SOC 2 reports can both be one of two types, known as Type I or Type II.
Type I reports only review whether the organization’s controls are designed effectively, and that management’s description of internal control is accurate. Essentially, Type I reports only examine an organization’s internal controls at a single point in time.
Type II reports incorporate all the same information as Type I reports and then go further, assessing whether the internal controls actually work as intended. In other words, Type II reports examine the performance of internal controls over an extended period of time, typically one year.
Additional SOC 2 Reports
The AICPA has developed several more SOC 2 reports addressing other subjects and criteria. In collaboration with the Cloud Security Alliance (CSA), the AICPA established an assessment of cloud providers known as the CSA Security Trust and Assurance Registry (STAR) Attestation.
The “SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)” guides auditors when assessing the design and operating effectiveness of internal controls aligned to traditional SOC 2 reports, while also incorporating the criteria of the CSA CCM.
Yet another SOC 2 report focuses on controls specific to organizations that must comply with the Health Insurance Portability and Accountability Act (HIPAA). The AICPA collaborated with the Health Information Trust Alliance (HITRUST) to incorporate the HITRUST Common Security Framework (CSF) and map those criteria to the trust services criteria.
SOC 2 compliance does not guarantee that you will comply with the International Organization for Standardization’s ISO 27001 standard. ISO 27001 also focuses on security controls but is more rigorous than SOC 2.
SOC Compliance Management With Reciprocity ZenComply
Going through any kind of SOC audit is no easy task. It requires vendors to go through laborious processes for assessing risk, documenting business processes, testing controls, remediating weak controls, and then documenting your final control posture.
To do all this work manually with spreadsheets is folly; too many details will go overlooked or be recorded incorrectly. Organizations need a dedicated software tool to automate as much of the work as possible and to guide them through the process. This is where ZenComply from Reciprocity can help.
ZenComply’s simple dashboard allows you to see your progress on compliance with SOC reports or numerous other regulatory burdens, such as HIPAA, the GDPR, or SOX. It helps you to identify holes in your documentation and procedures and guides you on how to address them.
ZenComply compliance, risk, and workflow management software is a user-friendly platform that keeps track of your processes and helps you spot high-risk areas before they become a real problem.
Schedule a demo with us to see how ZenComply can help your company with its compliance initiatives.
