In-depth

What is an SOC audit?

A comprehensive look at an organization's internal controls and cyber security

People looking at data on a table

Amid rising cases of cyber attacks, third-party service providers have come under increased regulatory scrutiny. 

Late last year, suspected Russian hackers used SolarWinds' business software updates to spread malicious code that impacted the US Department of Homeland Security (DHS), cyber security firm FireEye, and Microsoft, to name a few. 

In a separate incident, hackers gained access to Oldsmar, Florida's water treatment plant via remote access software in an attempt to poison the city's water supply. 

Security incidents like these can negatively impact a vendor's business continuity by causing ripple effects that can last for months or even years. One way to ensure internal controls are operative and effective is to conduct a system and organization controls (SOC) audit. 

Governed by the American Institute of Certified Public Accountants (AICPA), an SOC audit is an independent assessment of an organization's internal controls. The audit is generally led by a certified public accountant (CPA) appointed by the AICPA. 

CPAs examine many aspects of an organization, including security, confidentiality, and finances. A successful SOC audit can earn the service provider the right to use the AICPA logo on its website. 

Although SOC audits aren't mandatory, they're becoming increasingly popular as a part of companies' due diligence process. Here is a breakdown of the types of SOC reports and their significance.

Types of SOC reports 

There are five SOC reports: SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain. 

SOC 1

An SOC 1 report assesses an organization's internal control over financial reporting. There are two types of SOC 1 audits. The SOC 1 Type I audit ascertains the design and implementation of transaction processes at a particular point in time (on a specific date). The SOC 1 Type II audit, on the other hand, measures the operating effectiveness of processes and controls over a period of time — typically 12 months.

Only the top management, customers, and the financial statement auditors receive an examination report on SOC 1 due to the sensitive nature of the information.

Related Resource

Defend your organisation from evolving ransomware attacks

Learn what it takes to reduce risk and strengthen operational resiliency

Defend your organisation from evolving ransomware attacks - whitepaper from VeritasDownload now

SOC 2

As per the trust services criteria (TSC), SOC 2 examines a service organization's internal control over five conditions: security, availability, confidentiality, processing integrity, and privacy. Like SOC 1, SOC 2 reports are of two types.

The SOC 2 Type I report evaluates the design and description of a service provider's software. The SOC 2 Type II report affirms design and operating efficiency of the service. Also like SOC 1, SOC 2 reports are limited to management, customers, and auditors of financial statements.

SOC 3

SOC 3 is a concise version of the SOC 2 Type 2 report. Easy to understand, SOC 3 reports are often used for marketing, and a service provider could place it on its website.

According to the AICPA, the SOC 3 report is tailored to meet the needs of service organizations seeking assurance about controls related to security, availability, processing integrity, confidentiality, and privacy but lacking the information necessary to use an SOC 2 report effectively.

SOC for Cybersecurity

The SOC for Cybersecurity is a general-use report that communicates the effectiveness of an organization's cyber security policies.

Specifically, the report includes describing an entity's cyber security risk management program, management's assertion, and practitioner's report (opinion letter). The Type I version of the SOC for Cybersecurity is a design-only examination. The Type II tests the design and operating effectiveness of controls — similar to an SOC 2 Type II report.

SOC for Supply Chain

The SOC for Supply Chain report includes information on the system an entity uses to produce, manufacture, or distribute products, specific controls employed to meet AICPA trust services criteria, test procedures, and results. 

Additionally, the report contains management's assertion and the practitioner's opinion on the effectiveness of system controls.

Choosing between SOC 1, 2 and 3

Assessing your organization's SOC needs begins with choosing the most appropriate SOC report type. 

Since the deciding factor between SOC1 and SOC2 is whether a service organization's internal controls impact client internal controls over financial reporting, it's relatively straightforward to differentiate between them.

For example, if you are a financial services provider that performs transactions, you may request an SOC 1 report about your transaction processing and operations. However, IT service providers with increased security concerns can benefit from the SOC 2 report, which adheres to the AICPA's trust service principles: security, availability, processing integrity, confidentiality, and privacy. 

Compliance with SOC 2 also entails compliance with SOC 3 because the latter covers the same operating principles as SOC 2, except for results from tests or management's opinions on how the processes have been carried out. 

How to prepare for an SOC audit?

An initial readiness assessment is the best preparation for a comprehensive SOC examination. A warm-up audit also gives you the chance to work through issues before any official audit. 

The SOC readiness assessment may be handled internally by IT staff or by external auditors contracted by the organization. Organizations preparing for their first SOC engagement or transitioning from one SOC report to another may find SOC readiness reviews particularly useful.

Here are six steps you can take to prepare for an SOC audit:

  1. Define the purpose of your audit. An SOC 1 report is most appropriate if you wish to describe your financial controls in more detail. Likewise, If you have concerns about the privacy of your customers' data, you may need an SOC for Cybersecurity audit.
  2. Define the scope of the audit — who you'll need the report for, which services you need audited, what systems are under audit, and why the report is needed.
  3. Secure regulatory compliance. Industry-specific regulatory compliance policies like PCI DSS, HIPAA, or GLBA instill trust.
  4. Review policies — ensure written policies are clear and well-documented.
  5. Perform readiness assessment. Check for vulnerabilities and loopholes.
  6. Hire a certified auditor. Although risk assessment can be done internally, a fresh set of eyes can reveal new insights.
Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021