Risk Advisory: System Organization Controls (SOC) Reporting

As businesses expand their services by expanding affiliations with third-party providers, concerns escalate about financial reporting, privacy, regulations and security. As a result, these service organizations’ customers and their auditors seek transparency about how information is collected, processed and managed, and confidentiality safeguarded.

To provide such reassurance, our Risk Advisory specialists assess the design and effectiveness of internal controls, producing valuable System Organization Controls (SOC) Reports.

Our audit, technology and risk mitigation expertise helps service providers promote transparency and trust.

Added Value for Service Organizations

For organizations subject to banking, healthcare, credit card and data privacy regulations, our reports are vital for monitoring external service providers and their underlying sub-service providers, both considered an extension of the organization’s operations. A SOC report can be an important requirement for service organizations pursuing new business or maintaining existing contracts that require an annual evaluation of internal controls. Displaying the AICPA SOC seal on an organization’s website is invaluable in fostering trust among potential and existing stakeholders.

Benefits That Span Industries

These reports are also essential to promoting transparency, enabling service organizations’ customers and their auditors to understand how a provider’s processes and technologies may impact their own control environment. They identify suggested customer controls that should be in place that may affect their financial statements or operations. The report highlights the number and type of sub-service providers being used as well as the controls design and operating effectiveness.

Additional benefits include:

  • Verification that internal control best practices are in place.
  • Minimized regulatory, financial and reputational risk.
  • Reduced compliance costs.
  • Less time devoted to vendor due diligence questionnaires and audits.
  • Enhanced transparency to clients.

Our Customized, Comprehensive Process

Our process begins with a thorough SOC Readiness Assessment, also called a SOC Gap Analysis that identifies controls, control gaps or weaknesses and provides recommendations for improvement. This affords management the time and opportunity to resolve any deficiencies in advance of the SOC attestation engagement and then select the appropriate type of report, which include:

  • SOC 1 Report – Helps customers and their auditors evaluate the effects of the service organization’s internal controls on their internal processes and transactions. The internal controls addressed in the SOC 1 Report should prevent, detect and correct misstatements that can impact a customer’s financial statements.

  • SOC 2 Report – Rather than focusing on financial statements, this report provides information on a service organization’s internal controls across one or more Trust Service Categories and associated Criteria. The five Trust Services Categories are: Security, Availability, Confidentiality, Processing Integrity and Privacy. Service organizations will typically pursue this report to address IT-related processes, applications and regulatory compliance.

  • SOC 2+ Report – For clients with more stringent requirements, this report goes beyond the Trust Service Categories and addresses other compliance and regulatory frameworks such as COBIT, ISO, GDPR and NIST.

    In each of the three reports described above, clients may elect a specific focus, such as:

    • Type 1: Addresses whether management fairly presented the service organization’s system and the suitability of its controls design to achieve the described control objectives or Trust Service Criteria as of a specified date.

    • Type 2: Addresses whether management fairly presented the service organization’s system and the suitability of the design and operating effectiveness of its controls to achieve the described control objectives or Trust Service Criteria throughout a specified period.

  • SOC 3 Report – Provides prospective customers for whom a SOC 2 Report is less useful with information about the effectiveness of controls at the service organization as measured across one or more Trust Service Categories. This is a general use report that can be freely distributed. There is no description of operating effectiveness tests. Typically, service organizations will obtain this report for marketing purposes.