System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.
SOC for Service Organizations
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service
- SOC 1®— SOC for Service Organizations: ICFR
- SOC 2®— SOC for Service Organizations: Trust Services Criteria
- SOC for Service Organizations: SOC 2® HiTrust
- SOC for Service Organizations: SOC 2® CSA STAR Attestation
- SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
SOC reports provide three options for reporting on controls that address either financial or operational and compliance risks. SOC engagements are performed either using the AICPA Attestation Standards for SOC 1 reports or for SOC 2 and SOC 3 reports using the Attestation Standards based on the Trust Services Principles. See our FAQs for detailed information.
SOC reports are available as a type 1 (controls are properly designed, in place and documented at a point in time) or a type 2 (controls are properly designed, in place, documented and are operating effectively over a period of time).
SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
SOC 2 and SOC 3 reports, provide options for companies that do not process financial transactions, but require assurance reporting as part of their services offering for their customers. Service organizations choose a SOC 2 or SOC 3 to provide assurance to consumers, business partners, bankers, creditors, and regulators that effective controls are in place to meet business and compliance goals. The rise in growth of technology and online business has increased the value of these examinations. The importance of developing and maintaining effective internal controls over sensitive and confidential information continues to escalate in the cost of doing business online.
For many service organizations, complying with multiple industry standards and regulations is mandatory in order to do business with customers that trust them to safeguard the information they handle.
For example, a datacenter hosts a website that is used to process and provides storage of credit card data, hosts an online prescription drug provider website, and provides co-location services to a publicly traded company. In this example, the datacenter is requested to provide their customers with a Payment Card Industry (PCI) Report on Compliance (ROC), a Health Insurance Portability and Accountability Act (HIPAA) report, and a SOC 2/SOC 3 report.
Each report is based on a separate accounting standard or regulation that requires an individual third party assessment every year adding to the cost of doing business, and draining time and resources away from core business activities.
Completing a SOC 2 or SOC 3 examination, a service organizations can include “additional subject matter” in their report. This additional subject matter may include anything that is not covered by the TSP including controls relating to PCI and HIPAA requirements for example, and any other specific controls required by customers
SOC for Cybersecurity
The AICPA has issued the Cybersecurity Risk Management Reporting Framework as a flexible framework for organizations to take a proactive approach to cybersecurity risk management. This framework is intended for management to use to design and describe its cybersecurity risk management program and is a key component of the new SOC for Cybersecurity engagement.
The SOC for Cybersecurity report will include:
- Management’s description – The description of the entity’s cybersecurity risk management program.
- Management’s assertion – Management provides the assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria.
- Practitioner’s opinion – A CPA firm’s opinion on the description and effectiveness of controls in place to achieve the cybersecurity criteria.