System and Organization Controls (SOC) Reporting

SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services

What type of SOC report is right for your organization?

SOC 1

These reports are used for evaluating the effect of the controls at the service organization on the user entities’ financial statements

SOC 2

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

SOC 2+
This report extended beyond the SOC 2 trust service criteria (Security, Confidentiality, Process Integrity, Availability and Privacy) to focus on other respected business related regulatory and compliance frameworks, like HIPPA, NIST or GDPR.  

SOC 3
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

How SOC reporting can help

Obtaining a SOC report differentiates the service organization from its peers by demonstrating the establishment of effectively designed internal corporate governance and oversight.

  1. Meeting client need and expectations
  2. Managing cost
  3. Improving your business
  4. Meet contractual obligations and marketplace concerns through flexible, customized reporting
  5. Proactively address risks across your organization
  6. Increase trust and transparency to internal and external stakeholders

How Accorp Partners will Assist you in SOC Compliance

The Accorp Partners Service Organization Control (SOC) compliance service provides a wide range of assurance services in the form of SOC 1 Type I Type II report, SOC 2 Type I & Type II report and SOC 3 reports which broadly cover trust and transparency issues by incorporating risk management. We provide financial and nonfinancial reporting options to service organizations and the organizations can go with any of the SOC attestation and reports as per their organization’s objectives and their user entity’s objective and we also ensure that the organization would implement the right set of business and IT controls and convey correct information to user entity and their stakeholders which enhance the organizations Governance and monitoring standard.

Accorp has a team of professionals who has rich expertise in almost all Business and IT processes and can bring insight to the reporting process. Additionally, a skilled and independent auditor will assist your company in navigating the challenges and complexities of SOC reporting and attestation .

  1. Conducting a readiness gap assessment by using the organization specific relevant SOC framework and their client objectives. With the result of readiness assessment, we provide recommendations for remediation of potential gaps.
  2. Prepare a SOC report which organizations can share with their clients, or other stakeholders, to provide transparency into the implemented IT controls and effectiveness Business environment.
  3. Prepare a customized SOC report which can meets specific client or industry requirements, like SOC 2+ for the payment processing industry, GDPR or HIPPA.

FAQ Related to SOC 2

SOC 1 financial reporting controls
  1. Financial services – Custodial services
  2. Healthcare claims processing
  3. Payroll processing
  4. Payment Processing
  1. Cloud ERP service
  2. Data center colocation
  3. IT systems management

SOC 2/SOC 3 operational controls

  1. Enterprise cloud e-mail
  2. Cloud collaboration
  3. Software-as-a-service-(SaaS)- based HR services
  4. SaaS enterprise system housing third-party data
  5. Any service where topics such as security, availability, and privacy are areas of concern
Domain Trust Services Principle Applicability
Security Under this Trust service principle, the SOC scoped IT system and Business services are protected against unauthorized access that addresses physical and logical both ways of access.
  1. Most commonly requested area of coverage
  2. Security Criteria are also incorporated into the other Principles because security controls provide a foundation for the other domains
  3. Applicable to all outsourced environments, particularly where enterprise users require assurance regarding the service provider’s security controls for any system, nonfinancial or financial
Availability This trust service principle ensure that the IT and Business system should be available for operation and provide services as committed or agreed with the client and respected stake holders.
  1. Second most commonly requested area of coverage, particularly where disaster recovery is provided as part of the standard service offering
  2. Most applicable where enterprise users require assurance regarding processes to achieve system availability SLAs as well as disaster recovery which cannot be covered as part of SAS 70 or SOC 1 reports
Confidentiality This trust service principle addresses that the Information which are designated as confidential should be protected adequately as committed or agreed by the stakeholders.
  1. Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information
Processing Integrity This trust service principle addresses that the System processing is complete, accurate, timely and authorized.
  1. Potentially applicable for a wide variety of non- financial, and financial scenarios wherever assurance is required as to the completeness, accuracy, timeliness, and authorization of system processing
Privacy This trust service principle ensures that the Personal information is adequately collected, stored, used, disclosed and purged in compliance with the commitments as per the user entity’s privacy notice and by setting up a criterion set forth in normally accepted privacy principles in accordance with AICPA.
  1. Most applicable where the service provider interacts directly with end users, and gathers their personal information
  2. Provides a strong mechanism for demonstrating the effectiveness of controls for a privacy program
Audit Preparation Audit
Define audit scope, and overall project time line Provide overall project plan
Identify existing or required controls through discussions with management, and review of available documentation Complete advance data collection before on-site work to accelerate the audit process
Perform readiness review to identify gaps requiring management attention Conduct on-site meetings, and testing
Communicate prioritized recommendations to address any identified gaps Complete off-site analysis of collected information
Hold working sessions to discuss alternatives, and remediation plans Conduct weekly reporting of project status, and any identified issues
Verify that gaps have been closed before beginning the formal audit phase Provide a draft report for management review, and electronic, and hard copies of the final report
Determine the most effective audit, and reporting approach to address the service provider’s external requirements Provide an internal report for management containing any overall observations, and recommendations for consideration

A SOC 2 Type I audit is an audit reporting on the policies and procedures a company has established at a particular point in time. It is generally the first step taken and is often referred to as “test of design.” It will answer the question, “are the controls properly in place?” A SOC 2 Type II audit is a “test of effectiveness” over a period of time. The “period of time” is generally no less than 6 months and no more than a year. It will answer, “is your company following its own policies?”

SOC 2 preparation usually happens in a few stages. First, your company should identify all “key systems” and perform a gap analysis against all requirements documented in the Trust Services Principles and Criteria. Next, existing security controls should be identified and policies and procedures should be written to meet all requirements. This can take anywhere from a few weeks to up to 6 months, depending on the size and maturity of your company. At this point you are ready for the SOC 1 Type I audit. A SOC 2 Type II audit is typically performed 6 months later.

Traditional SAS 70 SOC 1 SOC 2 SOC 3
Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion Auditor’s Opinion
- Auditor’s Opinion Management Assertion Management Assertion
Assertion System Description (including controls) System Description (including controls) System Description (including controls) System Description (including controls)
Control objectives Control objectives Criteria Criteria (referenced)
Control activities Control activities Control activities -
Tests of operating effectiveness Tests of operating effectiveness Tests of operating effectiveness -
Results of tests Results of tests Results of tests -
Other Information (if applicable) Other Information (if applicable) Other Information (if applicable) -

Featured Resources

owner

CPA(U.S), CA

Sanyam Goel

Trust and Transparency Solutions Leader, Accorp