System & Organization Controls (SOC) Reporting
System & Organization Controls (SOC) Reporting
Jeff Krull
CPA, CISA
Partner
Brian Nichols
CISSP, CIPP/US
Principal
Gregory Reda
Partner
Atit Shah
CISA
Partner
The American Institute of Certified Public Accountants (AICPA) SOC reporting was developed as a valuable tool for organizations. SOC 1® and SOC 2® examinations assure their clients of their internal processes, policies and security and ensure vendors comply with their regulations and standards.
Baker Tilly’s SOC specialists can help your company understand what SOC report best fits your needs, whether you need assurance over a specific area for a contract, or your organization needs to ensure proper compliance with regulations.
You will work with an experienced, dedicated team who really understands SOC – because they not only perform SOC reporting, but are also involved in the AICPA’s committees that develop the standards for SOC reporting. Additionally, you will have access to partner-level resources throughout your engagement.
Delivering SOC examinations remotely
Our SOC practice uses a variety of technology tools to streamline our service delivery model and make sharing documents and requests seamless. These tools can also make it easy for our SOC clients to work remotely and share documents and evidence needed as part of the SOC process with us. Our personnel are well versed in methods for facilitating video conferences, teleconference calls and live, online document-sharing sessions to perform SOC readiness and SOC examination services as efficiently (if not more than) if we were live on-site.
In many cases, remote SOC project services can deliver the same quality service while minimizing travel expenses and space constraints that can accompany on-site work.
If you are considering Baker Tilly for your SOC needs, let’s discuss these options together and how they could apply in your environment. If you already use Baker Tilly for your SOC needs, please talk with your engagement team about leveraging these tools to make the SOC process as efficient and effective as possible.
SOC reporting options for your organization
With several reporting options available, it is important to identify which SOC report is right for your organization. Reporting options include the SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity and SOC for Supply Chain.
SOC 1 reports
SOC 1 reporting engagements provide user organizations with a strong sense of comfort about the outsourced services performed by service organizations on their behalf, which are relevant to their internal controls over financial reporting.
- Purpose: Reports on the controls of the service organization that are relevant to the user organization's internal controls over financial reporting
- Scope: Controls related to the accuracy of financial data and information technology general controls
- Audience: User organization's financial executives, compliance officers and financial statement auditors
SOC 2 and 3 reports
Established to address other types of third-party risks outside of financial reporting, SOC 2 and 3 reports provide user organizations with assurance over the critical systems and sensitive data used to provide the outsourced services. Typically, these reports are used to meet vendor risk management requirements that customers may request surrounding security. While the two options have similar scope, a SOC 3 has less detail and, therefore, typically provides less value to report users.
SOC 2 reports
- Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
- Scope: Governance, operational and information technology general controls that address one or more of the TSC categories: security, confidentiality, availability, processing integrity and privacy
- Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners
- Additional Criteria: SOC 2 reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others
SOC 3 reports
- Purpose: Same purpose as SOC 2 report
- Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
- Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization
SOC for Cybersecurity
SOC for Cybersecurity is a risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.
SOC for Supply Chain
The AICPA has developed a report on an entity’s system and controls for producing, manufacturing or distributing goods to better understand the risks in an organization’s supply chain.
Type 1 vs. Type 2 Reports
Do not confuse SOC 1 and SOC 2 with Type 1 and Type 2. Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key differences are:
- Type 1 addresses the design of controls as of a point in time
- Type 2 addresses the operating effectiveness of controls over a period of time
- Type 1 reports provide less comfort to the intended audience of the report and are uncommon
Unsure which report best meets your organization's needs? Take the questionnaire below and tell us more about your reporting scenario.
If you’ve never had a SOC examination performed, you’re probably wondering what it entails.
Determine report type and scope
The first thing we need to do is help determine which report is most applicable to your environment and the needs of your organization and your clients.
Ensure no surprises
After we agree upon the type and scope of the examination, we typically perform a readiness assessment before your first SOC examination. The readiness assessment is a one-time review to identify your control activities satisfying each of the objectives or criteria. We will also determine potential test procedures and identify the types of evidence available to satisfy those test procedures. The deliverable provides recommendations on potential gaps in control activities and/or documentation.
Remediation
After we perform the readiness assessment, we allow you time to remediate control or documentation deficiencies before we begin our examination period.
Document request
Several weeks prior to fieldwork, we will send out a document request list to assist you in gathering the necessary evidence prior to our visit. This will also help us select samples for testing.
Onsite testing
When we arrive onsite, we will conduct our walkthroughs, observational testing and inspect the documentation you have provided for us. Interim fieldwork typically requires about one to two weeks onsite for small- to medium-sized organizations.
Final fieldwork
Towards the end of the examination period, we will perform final fieldwork where we will select additional samples and complete any remaining test procedures.
Final report
After final fieldwork, we will subject the final report to our internal quality control procedures and issue the report approximately four to eight weeks after the procedures are completed.
Your team was fantastic to work with again this year. I compliment the amazing team you have an am looking forward to next year!Senior Vice President/Chief Technology Risk Officer of a large financial institution
