System and Organization Control (SOC) reports, previously referred to as SAS-70 reports, reports come in several varieties. These reports, which must be reviewed and approved by an external auditor, document internal controls relevant to an organization’s financial reporting.
SOC 1 focuses on controls that affect financial statements. A Type-1 report follows a standardized format. The first section describes the service organization’s system. The second section incorporates management’s assertion of its system, the design suitability, and the controls’ operating effectiveness in meeting control objectives. The third section, the auditor’s report, contains the auditor’s opinion regarding whether management’s description of the system and controls fairly presents an accurate representation of their design and effectiveness. A Type 2 report includes all the information contained in a Type 1 report and also incorporates a description of the auditor’s control testing and results of the testing.
SOC 2 focuses on controls surrounding information security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type-1 report follows a standardized format as well. The first section is a description of the service organization’s system. The second section is management’s written assertion of its system, design suitability, and controls’ operating effectiveness to provides reasonable assurance over the service organization’s commitments and system requirements meeting applicable trust services criteria. The third section, the auditor’s report, contains the auditor’s opinion regarding whether management’s description of the system controls is aligned to the description criteria and fairly presents design suitability and control operating effectiveness to meet the reasonable assurance requirements based on trust services criteria. A Type 2 report contains all of the Type-1 information as well a description of the auditor’s control testing and results of the testing.
If a service organization chooses to incorporate additional subject matters as part of its SOC 2 report, then it must provide additional information. The report will evaluate the organization’s description of the facilities’ physical characteristics and the completeness and accuracy of historical data. For service organizations that need to be compliant with the Health Insurance Portability and Accessibility Act (HIPAA), the report will also include a review of the security requirements listed in the HIPAA Administrative Simplification section of the act. These align to the HITRUST Cybersecurity Framework (CSF). Service organizations choosing to incorporate a review of their cloud service provider use will have a report that aligns to the criteria established by the Cloud Security Alliance’s Cloud Controls Matrix.
To learn more, read our Ultimate Guide to Running a SOC 2 audit.