The definitive guide to SOC 2 compliance
If you want to ensure that a service provider is managing your data with complete care and is protecting what's most important to you, there's one thing you should be looking for: SOC 2.
If you consider yourself a security-conscious business, SOC 2 compliance should be a minimum requirement when choosing a new software provider.
But there's a bit to it, and it can be easy to get confused by different terminology and descriptions. This guide will outline exactly what matters when it comes to SOC 2 compliance.
What is a SOC report? (the quick answer)
In short, a Systems and Organization Controls (SOC) report is a report describing the design and operation of internal controls performed by a service organization.
SOC reports are performed and issued by a Certified Public Accountant (CPA) to provide an independent (i.e. non-biased) opinion on the state of internal controls of a service organization for a defined period of time.
A SOC report provides valuable information to the management of a service organization and the users of the services provided by a service organization.
Explaining a SOC report in more detail
As with most activities performed by accountants, the short answer to understanding a SOC report requires knowledge of some background and an understanding of terminology to get a full picture of its meaning, use, and value.
So it's beneficial to briefly cover some of the history and terminology associated with SOC reports.
AICPA and SOC reports
The American Institute of Certified Public Accountants (AICPA) is an association created to establish rules and standards for CPAs and the accounting profession.
They have published a wealth of rules, standards, guidance, and publications regarding the accounting profession and services offered by CPAs, and are responsible for developing and publishing the criteria used as a benchmark for performing SOC examinations.
All businesses and organizations have risks that may negatively impact their business and ability to achieve defined business goals. Management may try to eliminate these risks but in most cases, risks can never be fully eliminated.
So rather than attempting to fully eliminate them, management implements procedures, processes, technology, and people to perform functions that reduce the likelihood of a risk event occurring. These functions are called internal controls, and a SOC report includes a description and independent professional opinion of how the internal controls of a service organization operate.
Service organizations and user entities
There are many different types of businesses. Some sell physical or digital products (i.e. items purchased by a customer for use) and others sell services (i.e. activity performed by the business and delivered to the customer).
In reference to a service organization for SOC 2 compliance, a service organization can be an organization that solely provides a service to a customer, or it can be an organization that sells products and provides services to a customer.
By SOC 2 definition, a service organization is an entity (organization or business) that provides services to a user of a system or service, which are called 'user entities', and provides service commitments (i.e. service guarantees) to user entities in connection with the services received from the service organization.
SOC 1 vs. SOC 2 reports
With some of the most important terms related to SOC reports defined, it's easier to understand the difference between a SOC 1 and SOC 2 report.
SOC 1 report (and control objectives)
A SOC 1 report is a report that provides a CPA’s opinion on internal controls and 'control objectives' of a service organization for business processes that are likely to be relevant to a user entity’s financial reporting.
Control objectives are statements of purpose, or goals, related to a particular process, procedure, or system function.
The purpose of a control objective is to establish an expectation, or outcome, for the successful completion of a process or procedure that supports effective, or 'good', internal control over financial reporting. For example, a company that processes investment income for a company or individual may require a SOC 1 report to provide confidence that the investment income is calculated properly.
Here is an example of one of several control objectives that may be included within the SOC 1 report:
Control Objective: Investment Income—Controls provide reasonable assurance that investment income is calculated accurately, completely, and within a timely manner.
Internal controls included within this section of the report would be related to the achievement of complete, accurate, and timely processing of investment income.
There are many other control objectives that can be included within a SOC 1 report, depending on the nature of services that are performed by a service organization. Control objectives can be related to fee calculations, loan processing, fund administration, asset purchases, bank reconciliations, etc.
A SOC 1 report differs from a SOC 2 report, primarily due to the distinctive requirement for a SOC 1 report to meet the needs of user entities that require an opinion on internal controls that have an impact on the financial reporting of a company.
SOC 2 report (and trust service categories and criteria)
A SOC 2 report is a report that provides a CPA’s opinion on service commitments and system requirements based on applicable 'Trust Services Categories and Criteria' established by the AICPA.
Trust Services Categories
Trust Services Categories are categorical topics pertaining to the overall service commitments made by a service organization. They represent a service organization’s responsibilities relating to the Security, Availability, Confidentiality, Processing Integrity, or Privacy (Trust Service Categories) of a system or service, which have been communicated to users of the system or service.
A SOC 2 report is a report focused on the overall security of a system. The Security category is the main service commitment for a SOC 2 report and is a mandatory service commitment for every SOC 2 report (i.e. you cannot exclude this service commitment from any SOC 2 report):
Security: This commitment relates to a service organization’s responsibility for implementing appropriate safeguards and security measures to protect a system from unauthorized access or improper functionality. Internal controls associated with this service commitment include controls for physical access, logical access, network security, data encryption, and corporate governance activities.
Some of the categories are optional to include with a report, and the senior management of a service organization are responsible for making the decision on whether to include these additional categories within the scope of their report:
Availability: This commitment applies to a service organization’s responsibility for maintaining a system that operates without any prolonged outages or service disruptions. Some companies provide system availability commitments of 95%-99%.
Confidentiality: This commitment pertains to a service organization's responsibility for protecting the sensitivity and confidentiality of the information collected, processed, or stored within the system. Activities associated with this service commitment include controls for data encryption, data retention, and data disposal.
Processing Integrity: This commitment relates to a service organization’s responsibility for ensuring that data will be processed accurately and maintain its integrity (i.e. will not be inappropriately or mistakenly altered) by the service organization’s system during collection, processing, and storage activities. Service organizations that have a system or service that is responsible for performing calculations, data conversion, document conversion, etc. may decide to include this category within the scope of their report.
Privacy: This commitment pertains to a service organization’s responsibility for protecting personal information collected, processed, or stored by their system or service. These protections mostly relate to the prevention of unauthorized disclosure of a data subject’s (or individual, like yourself) personally identifiable information (PII) and include activities associated with the rights of data subjects, such as receiving consent to collect and use PII, processing requests to modify or remove PII, requesting access to PII, and other PII protection-related activities.
Quite often, you will find that a SOC 2 report includes Security, Availability, and Confidentiality as the categories included, as these are common service commitments that are made by many service organizations.
Trust Services Criteria
Trust Services Criteria (TSCs) are specific measuring points that are followed by CPAs when they perform examinations.
There are TSCs associated within each Trust Service Category, and the internal controls that are included within a SOC 2 report are related to these TSCs. Here is an example TSC and internal control to help you understand how TSCs and internal controls are related within a SOC 2 report:
Type I vs. Type II report
The differences between a SOC 1 report, SOC 2 report, Type 1 report, and Type 2 report are fairly simple concepts, yet, they can often be confused. So it's important to understand the differences and applicability of these four different types of SOC reports:
Type 1 report
A Type 1 (Type I) report is a SOC report that includes a CPA’s professional opinion on the 'design' (only) of internal controls applicable to one of the five Trust Service Categories.
A CPA conducting an examination for a Type 1 report performs most of the same procedures that would be conducted within a Type 2 report. But the extent of testing procedures that are performed by the CPA is limited in comparison to those performed in a Type 2 examination.
A Type 1 report includes a limited set of testing procedures because a CPA is only providing a professional opinion on the service organization’s activities for implementing internal controls related to Trust Service Categories, but not providing any opinion on how these controls have operated over a given period of time (i.e. controls exist, but they may or may not be operating as intended to met Trust Service Category responsibilities).
This provides some confidence that the service organization is performing activities to implement security and practices to maintain their commitments for the system (or service), however, it does not provide as much assurance as a Type 2 (Type II) report.
Type 2 report
A Type 2 (Type II) report is a SOC report that includes a CPA’s professional opinion on the design and operation of internal controls applicable to one of the five Trust Service Categories. A CPA conducting an examination for a Type 2 report performs all necessary procedures to evaluate the design and operation of the internal controls of a service organization.
Testing procedures associated with the performance of a Type 2 report include evaluating all internal controls that are to be included within a SOC report. Additional testing procedures are required because a CPA must obtain and evaluate evidence that supports the successful operation of internal controls over a given period of time (which typically can be 3 months, 6 months, 9 months, or 12 months).
Receiving the clean opinion ('unqualified opinion') from a CPA provides an unbiased, independent, opinion on the design and operation of internal controls supporting applicable Trust Services Categories for a given period of time. And a clean Type 2 report communicates that the service organization performs appropriate activities to adhere to best practices for security and additional service commitments.
A SOC 1 or SOC 2 report can be a Type 1 or a Type 2 report. To help remember the differences, refer to this table.
Other types of SOC reports
SOC 1 and SOC 2 reports are two of the most common types of SOC reports you can receive from a service organization, but there are several other types of SOC reports.
SOC 3 report
A SOC 3 report is a 'general use' report, which means that it was created to be distributed to system users and other interested parties for general use purposes.
This report often excludes many of the specific or technical details associated with the internal control operations of a service organization and can be requested and received from a service organization relatively easy, if the service organization has agreed to have a SOC 3 report issued for their organization.
SOC for Cybersecurity
A SOC for Cybersecurity report is similar to a SOC 1 or SOC 2 report, but the purpose of the report is specific to the cybersecurity and risk management practices performed by a service organization.
SOC for Supply Chain
A SOC for Supply Chain report is similar to a SOC 1 or SOC 2 report, but the purpose of the report is specific to the supply chain operations and risk management practices performed by a service organization.
Importance of SOC reports
With an understanding of the basics and important topics regarding SOC reports, you can now consider their importance and answer the following questions:
Why do system users want a SOC report?
In connection with the system (or service) that a service organization provides to their customers, they often provide service commitments related to the Trust Service Categories.
Every service organization believes in their product and processes, and will be happy to tell you that its security practices are top-notch and adhere to the best standards to protect your information. But they are, of course, biased. Have you ever heard a service organization state that their security practices are not up to par with best practices?
SOC reports, and the CPAs performing the examinations and procedures to issue a SOC report, are required to provide a non-biased, independent, and professional opinion of the state of internal controls at a service organization. This provides system users with a reliable opinion on the state of internal controls at a service organization.
System users (user entities) need to have a reliable opinion on internal controls for several reasons, including having assurance concerning the protection of their data or to understand and demonstrate that a service organization is appropriately implementing security practices for services that the system user is providing to their customers.
Why do service organizations need a SOC report?
Service organizations have many users of their system that require assurances pertaining to the operation of a system (or service). The service organization has a responsibility to demonstrate its ability to safeguard the operation of their system to its users, to maintain confidence and ultimately retain their business.
The service organization can elect to have their user inspect or audit their internal control environment on their own to gain required assurances. However, this can be very time-consuming and costly for their users, and for the service organization.
A SOC report allows a certified professional (CPA or CPA firm) to conduct one examination, issue one SOC report, and deliver the report to the service organization, which can then be distributed to any of their users. This saves time and money for both the service organization and system users.
Great relationships are built on trust
SOC reports are a great tool of communication for a service organization and their users. They communicate important and trustworthy information regarding the service organization and their ability to safeguard your information and provide quality service.