What is an SOC audit?

People looking at data on a table

Amid rising cases of cyber attacks, third-party service providers have come under increased regulatory scrutiny.

Late last year, suspected Russian hackers used SolarWinds' business software updates to spread malicious code that impacted the US Department of Homeland Security (DHS), cyber security firm FireEye, and Microsoft, to name a few.

In a separate incident, hackers gained access to Oldsmar, Florida's water treatment plant via remote access software in an attempt to poison the city's water supply.

Security incidents like these can negatively impact a vendor's business continuity by causing ripple effects that can last for months or even years. One way to ensure internal controls are operative and effective is to conduct a system and organization controls (SOC) audit.

Governed by the American Institute of Certified Public Accountants (AICPA), an SOC audit is an independent assessment of an organization's internal controls. The audit is generally led by a certified public accountant (CPA) appointed by the AICPA.

CPAs examine many aspects of an organization, including security, confidentiality, and finances. A successful SOC audit can earn the service provider the right to use the AICPA logo on its website.

Although SOC audits aren't mandatory, they're becoming increasingly popular as a part of companies' due diligence process. Here is a breakdown of the types of SOC reports and their significance.

Types of SOC reports

There are five SOC reports: SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain.

SOC 1

An SOC 1 report assesses an organization's internal control over financial reporting. There are two types of SOC 1 audits. The SOC 1 Type I audit ascertains the design and implementation of transaction processes at a particular point in time (on a specific date). The SOC 1 Type II audit, on the other hand, measures the operating effectiveness of processes and controls over a period of time — typically 12 months.

Only the top management, customers, and the financial statement auditors receive an examination report on SOC 1 due to the sensitive nature of the information.

RELATED RESOURCE

Defend your organisation from evolving ransomware attacks

Learn what it takes to reduce risk and strengthen operational resiliency

FREE DOWNLOAD

SOC 2

As per the trust services criteria (TSC), SOC 2 examines a service organization's internal control over five conditions: security, availability, confidentiality, processing integrity, and privacy. Like SOC 1, SOC 2 reports are of two types.

The SOC 2 Type I report evaluates the design and description of a service provider's software. The SOC 2 Type II report affirms design and operating efficiency of the service. Also like SOC 1, SOC 2 reports are limited to management, customers, and auditors of financial statements.

SOC 3

SOC 3 is a concise version of the SOC 2 Type 2 report. Easy to understand, SOC 3 reports are often used for marketing, and a service provider could place it on its website.

According to the AICPA, the SOC 3 report is tailored to meet the needs of service organizations seeking assurance about controls related to security, availability, processing integrity, confidentiality, and privacy but lacking the information necessary to use an SOC 2 report effectively.

SOC for Cybersecurity

The SOC for Cybersecurity is a general-use report that communicates the effectiveness of an organization's cyber security policies.

Specifically, the report includes describing an entity's cyber security risk management program, management's assertion, and practitioner's report (opinion letter). The Type I version of the SOC for Cybersecurity is a design-only examination. The Type II tests the design and operating effectiveness of controls — similar to an SOC 2 Type II report.

SOC for Supply Chain

The SOC for Supply Chain report includes information on the system an entity uses to produce, manufacture, or distribute products, specific controls employed to meet AICPA trust services criteria, test procedures, and results.

Additionally, the report contains management's assertion and the practitioner's opinion on the effectiveness of system controls.

Choosing between SOC 1, 2 and 3

Assessing your organization's SOC needs begins with choosing the most appropriate SOC report type.

Since the deciding factor between SOC1 and SOC2 is whether a service organization's internal controls impact client internal controls over financial reporting, it's relatively straightforward to differentiate between them.

For example, if you are a financial services provider that performs transactions, you may request an SOC 1 report about your transaction processing and operations. However, IT service providers with increased security concerns can benefit from the SOC 2 report, which adheres to the AICPA's trust service principles: security, availability, processing integrity, confidentiality, and privacy.

Compliance with SOC 2 also entails compliance with SOC 3 because the latter covers the same operating principles as SOC 2, except for results from tests or management's opinions on how the processes have been carried out.

How to prepare for an SOC audit?

An initial readiness assessment is the best preparation for a comprehensive SOC examination. A warm-up audit also gives you the chance to work through issues before any official audit.

The SOC readiness assessment may be handled internally by IT staff or by external auditors contracted by the organization. Organizations preparing for their first SOC engagement or transitioning from one SOC report to another may find SOC readiness reviews particularly useful.

Here are six steps you can take to prepare for an SOC audit:

  1. Define the purpose of your audit. An SOC 1 report is most appropriate if you wish to describe your financial controls in more detail. Likewise, If you have concerns about the privacy of your customers' data, you may need an SOC for Cybersecurity audit.
  2. Define the scope of the audit — who you'll need the report for, which services you need audited, what systems are under audit, and why the report is needed.
  3. Secure regulatory compliance. Industry-specific regulatory compliance policies like PCI DSS, HIPAA, or GLBA instill trust.
  4. Review policies — ensure written policies are clear and well-documented.
  5. Perform readiness assessment. Check for vulnerabilities and loopholes.
  6. Hire a certified auditor. Although risk assessment can be done internally, a fresh set of eyes can reveal new insights.