Overview
Introduction: What are SOC® Examinations?
An Independent Systems and Organization Controls (SOC) report provides independent verification on third-party vendors’ systems and controls. There are three main categories of SOC reports: SOC for Service Organizations, SOC for Cybersecurity and SOC for Supply Chain.
Leaders of service organizations have an opportunity to demonstrate trust and transparency with customers with SOC examinations. Committing to strong control systems is a safeguard for the organization as well as the businesses it works with. And with cybersecurity as an ever-increasing threat, now is the time to proactively address and manage risks before a breach occurs. Because data security is a key component of SOC examinations, they give organizations a competitive advantage in attracting and retaining customers.
What is a SOC 1® examination and what are the different types?
A SOC 1® examination is designed to assess whether the internal controls of service organizations are suitably designed and effectively operating to address financial reporting risks. SOC 1 reports are typically performed for payroll, medical claims processing, loan servicers, and SaaS companies that provide a service with a financial reporting impact. SOC 1 reports are “restricted use” reports commonly used by service organization customers, management and auditors.
There are two types of SOC 1 reports. Type 1 documents and describes controls as of a specific date.
It tests the design of controls but does not seek to evaluate their effectiveness. Type 2 reports cover a specified period, usually at least six months, and not only describes internal controls, but also evaluates how well they’re working.
What is a SOC 2® examination and what are the different types?
SOC 2® examinations are broader and are designed to address a service organization’s controls as they relate to the American Institute of Certified Public Accountant’s (AICPA) Trust Services Criteria. The Trust Services Criteria includes availability, security, processing integrity, confidentiality and privacy.
SOC 2 reports are important to ensure organizational and regulatory oversight, vendor management, internal corporate governance and risk management. SOC 2 reports are used by external stakeholders and those charged with governance.
Like SOC 1 examinations, there are two types of SOC 2 reports. Type I assesses whether the system design and presentation are fair at a specific point in time. Type II also evaluates fairness but also attests to how well the controls are operating. Type II reports are performed for a reporting period versus a specific point in time.
