Home    About Us    Services    Resources    Careers    Contact Us

Service Organization Controls (SOC)
SOC stands for Service Organization Controls, and are standards designed to assist service organizations imparting services to their clients and customers. It helps to build confidence and trust between the entities and the service provider.

One of the most important reports for third party (vendor) and SOX compliance is the SOC 1 or SOC 2 Type 2 Audit. The SOC 1 or SOC 2 Type 2 audit (attest) report provides for SOX compliance and assurance on controls. SOC compliance reports are part of AICPA’s SSAE 18 Attest Standard that is now used for the SOC 1, SOC 2, & SOC 3 reports. Since 1992, these reports have been known as SAS 70 audit reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2 & SOC 3 reports under SSAE 18.

SOC now stands for "System and Organization Controls". The definition got changed in 2017 from the earlier one as "Service Organization Controls" as these compliance reports were mainly being used for vendor(third-party) compliance audits as these organizations are also service organizations.


SOC 1

SOC 1 pertains to ICFR i.e., Internal Control over Financial Reporting. Under this standard, reporting is done over the controls of service organization over its end user’s financial reporting. This is classified under two categories Type 1 reporting & Type 2 reporting

     
  • Type 1 Report: Reporting focuses on the suitability of the designof controls of a financial organization and the related objectives on a specified date.
  •  
  • Type 2 Report:Reporting focuses on the suitability of the effectiveness of controls of a financial organization to achieve the related objective throughout the specified period.


SOC 2

A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing Trust Services Principles, Criteria and Illustrations (SysTrust and WebTrust). This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. Organizations asked to provide an SSAE 16, but do not have an impact on their client’s financial reporting should select this reporting option.

SOC 2 reporting standard was created by the AICPA to fill the gap for organizations that were being requested to have a SAS 70 (now SSAE 16) but did not officially meet the criteria of what the SAS 70/SSAE 16 standards required. Until now there was really only one recognizable audit due to SAS 70 being the defacto standard audit for all service organizations. When SAS 70 was replaced by SSAE 16 on June 15, 2011, the AICPA strategically created three different SOC reporting options to more closely align service organizations third party compliance. Now companies can obtain the correct and recognizable third-party assurance report.

SOC 2 reporting is concerned for Service Organization’s Trust Services Criteria (TSC). It defines controls necessary at a service organization that are relevant to Security, Processing Integrity, Privacy, Availability etc.

TSC reporting are required to confer to board category if controls that are necessary to adhere by the service organization’s systems in terms of security, availability, and processing integrity. SOC 2 reports are also classified under two categories namely:

      
  • Type 1 Report:Reporting focuses on the suitability of the design of controls of a service organization and the related objectives on a specified date.
  •   
  • Type 2 Report: Reporting focuses on the suitability of the effectiveness of controls of a service organization to achieve the related objective throughout the specified period.


Who Should Obtain A SOC 2 Report?

As a service provider, you need to guarantee your customers that your IT controls are aligned, designed and applied effectively to its control objectives. Also, any organization that wants to put their information systems up against best practices and those who may use this report to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy. Many organizations are good candidates for a SOC 2 report and we provide services not limited to the following industries:

  • Hosting providers (web hosting, e-mail hosting, document storage, backup service providers, cloud computing, dedicated server, network administrators, and more)
  • Production printing (direct mail marketers, print and mail providers)
  • Software as a Service (SaaS)
  • Application Service Providers (ASP)
  • Health care service providers
  • Government service providers
  • And more….

Note: if you are a service provider and may potentially impact the control environment of one or more of your clients’ financial reporting activities you should consider a SOC1 (SSAE 16) report.



SOC 3

SOC 3 reporting is done in line with SOC 2 reporting, with the only difference that SOC 3 reporting is meant for general use or for customers who need assurances regarding the necessary controls maintained and managed by the organization.

SOC 3 reports can be freely distributed while SOC 1 & SOC 2 reports are meant to be restricted in distribution.



What is SecurWires Offering?

SecurWires Technologies and Services LLP is a PCI SSC Authorized Qualified Security Assessor (QSA) CompanyCIS SecureSuite Member Company and a Member of Data Security Council of India (DSCI). SecurWires is a pure-play Cyber Security and Information Security Company which is dedicated to help businesses run Cyber Security and Information Security Programs more effectively. SecurWires is vendor neutral; we do not resell any software or hardware and will always recommend the best solution for the organization. Our professionals provide industry-leading expertise to help organizations meet their evolving Data Security and Privacy needs.

SecurWires is not a CPA firm and cannot provide SOC2 Attestations. However, the SecurWires offering for SOC2 includes the following -

  • Readiness Assessment
  • Evidence Collection
  • Reuse of other evidence for SOC2 audits

In addition, we have developed channel partnerships with select CPA firms who can utilize the SecurWires platform/reports to help customers get SOC2 Reports. Customers would have the option to select which firms they would like to partner with or select their own CPA firms and inform SecurWires to develop partnership with that firm.



SOC 1 vs SOC 2 vs SOC 3

 

PURPOSE

INTENDED USERS

FOCUS ON

REPORT TYPE

EVALUATES

SOC 1

Audit of Financial Statement

Financial Statement Auditors, Customers, Related third parties

Internal controls relevant to financial Reporting

Type I Type II

Design of internal Control Operating effectiveness of Internal Control during review period

SOC 2

GRC Programs, Oversight, Due diligence

Management, Regulators, Related third parties

Operational controls regarding security, availability, processing integrity, confidentiality or privacy

Type I Type II

Design of internal Control Operating effectiveness of Internal Control during review period

SOC 3

Marketing or General purpose

Anyone with a need for confidence in service organization’s controls

Easy to read report on controls

General

Design of controls related to SOC2 objectives




Read our blog to understand Trust Services Criteria 5 Trust Services Criteria (TSC)




Talk to our experts to know more about our Data Security and Privacy offerings

Speak to our Security Expert






  Offline: Leave Message