One of the most important reports for third party (vendor) and SOX compliance is the SOC 1 or SOC 2 Type 2 Audit. The SOC 1 or SOC 2 Type 2 audit (attest) report provides for SOX compliance and assurance on controls. SOC compliance reports are part of AICPA’s SSAE 18 Attest Standard that is now used for the SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 audit reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2 and SOC 3 reports under SSAE 18.
SOC now stands for "System and Organization Controls". The definition got changed in 2017 from the earlier one as "Service Organization Controls" as these compliance reports were mainly being used for vendor (third-party) compliance audits as these organizations are also service organizations. It helps to build confidence and trust between the entities and the service provider.
SOC 1 pertains to ICFR i.e., Internal Control over Financial Reporting. Under this standard, reporting is done over the controls of service organization over its end user’s financial reporting. This is classified under two categories Type 1 reporting & Type 2 reporting
A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing Trust Services Principles, Criteria and Illustrations (SysTrust and WebTrust). This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. Organizations asked to provide an SSAE 16, but do not have an impact on their client’s financial reporting should select this reporting option.
SOC 3 reporting is done in line with SOC 2 reporting, with the only difference that SOC 3 reporting is meant for general use or for customers who need assurances regarding the necessary controls maintained and managed by the organization. SOC 3 reports can be freely distributed while SOC 1 & SOC 2 reports are meant to be restricted in distribution.
As a service provider, you need to guarantee your customers that your IT controls are aligned, designed and applied effectively to its control objectives. Also, any organization that wants to put their information systems up against best practices and those who may use this report to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy. Many organizations are good candidates for a SOC 2 report. If you are a service provider and may potentially impact the control environment of one or more of your clients’ financial reporting activities you should consider a SOC 1 (SSAE 16) report.
We have developed channel partnerships with select CPA firms who can utilize the SecurWires platform/reports to help customers get SOC 2 Reports. Customers would have the option to select which firms they would like to partner with or select their CPA firms and inform SecurWires to develop a partnership with that firm.