SOC: System and Organization Control

What is SOC reporting?

System and organization controls (SOC) are a type of assurance report used to evaluate an organisation's internal controls. SOC reports are typically prepared by an independent third party, such as an accounting firm, and are used to provide assurance to customers, regulators, and other stakeholders that the organization has appropriate controls in place to protect the confidentiality, integrity, and availability of its systems and data.

SOC - System and Organization Control

It is the report based on AICPA attestation guidelines. performed and provided by service auditors.

American Institute of Certified Public Accountants (AICPA)

SOC for Service Organizations reports is internal control reports, which independent CPAs (Service Auditors) provide, on the services that a service organization provides to user entities.

• this is not a certification, it is an Attestation

SSAE18 - The Statement on Standards for Attestation Engagements 18

AICPA - American Institute of Certified Public Accountants (AICPA) is the national professional organization for Certified Public Accountants (CPAs) in the United States.

ICFR - Internal Control over Financial Reporting (ICFR) is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles

ITGC - IT general controls(ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objectives of ITGCs are to ensure the integrity of the data and processes that the systems support.

User Entity: is nothing but an organization that uses the services provided by the service organization.

Service Organization (SO): An organization that provides services to User Entities

Sub-service Organization (SSO): An organization to whom Service Organization outsource the part of the service that they deliver to User Entities

Service Auditor (SA): Independent CPA who audits Service organizations and provides SOC attestation

User Auditor (UA): The user entity’s auditors are user auditors. Independent third parties who will be auditing the user entities.

Example - UE is HDFC Bank, SO is TCS and SSO is Microsoft azure (service provider to SO)

Why SOC Report / Benefits of SOC attestation

• It is useful for evaluating the effectiveness of controls related to the services performed by a service organization.
• It is appropriate to understand how the service organization maintains oversight over third parties providing customer services. the sub-service organization also has appropriate controls
• Help reduce the compliance burden by providing one report that addresses the shared needs of multiple users. eg TCS is providing service to n number of users, so they can provide one report to all of its customers.
• Enhances the ability to obtain and retain customers.
• Reduces compliance costs and time spent on audits and filling out vendor questionnaires

AICPA SOC Suite of Services

SOC 1® - SOC for Service Organizations: ICFR(Internal Control over Financial Reporting)

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)

This report is used to evaluate the controls that an organization has in place to support financial reporting. It is typically used by service organizations that provide services to other organizations and may impact their financial statements.

SOC 2® - SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

This report is used to evaluate the controls that an organization has in place to protect the security, availability, processing integrity, confidentiality, and privacy of its systems and data. It is typically used by service organizations that handle sensitive data or that have a high level of security and availability requirements.

Trust Services Criteria - Security, Availability, Processing Integrity, Confidentiality or Privacy ****

SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report

This report is a summary of the findings from a SOC 2 report and is intended for a general audience. It is typically used to provide assurance to customers and other stakeholders that the organization has appropriate controls in place to protect the security, availability, and confidentiality of its systems and data.

SOC 1 & 2 only go to the user entity

SOC 3 can be freely distributed

Attestation Standards

SSAE 18 (Statement on Standards for Attestation Engagements No.18)

AT-C Section 105: Concepts common to all attestation engagements

AT-C Section 205: Examination engagements

• SOC 1:

  AT-C Section 320: Reporting on an examination of controls at a service organization relevant to user entities internal control over financial reporting

International Standard on Assurance Engagements (ISAE) No. 3402

The Major differences between Soc 1 vs. SOC 2. vs. SOC 3

There are three primary types of SOC reports—the first two are the most used, and the second is of most concern to technology companies.

SOC 1 and SOC 2 are the most common SOC reports

The difference between SOC 1 and SOC 2 is that SOC 1 focuses on financial reporting, whereas SOC 2 focuses on compliance and operations.

SOC 3 is a variation of SOC 2 and contains the same information as SOC 2, but it’s presented for a general audience rather than an informed one. If a SOC 2 report is for auditors and stakeholders inside the company you’re selling to, SOC 3 is for that company’s customers. There are a couple of other SOC reports that are rarer and outside the scope of this article:

• SOC for Cybersecurity reports on a service organization’s cybersecurity risk management effectiveness.
• SOC for Supply Chain reports on a service organization’s supply chain risk management effectiveness.