System and Organisations Controls — SOC 1 &SOC 2

What is SOC Report

System and Organization Controls (SOC) reports enable companies to feel confident that service providers, or potential service providers, are operating in an ethical and compliant manner. No one likes to hear the word audit, but SOC reports establish credibility and trustworthiness for a service provider — a competitive advantage that’s worth both the time and monetary investment.

SOC reports utilize independent, third-party auditors to examine various aspects of a company, such as:

• Confidentiality
• Privacy
• Controls related to financial reporting
• Controls related to Cybersecurity
• Security
• Availability
• Processing Integrity

In this increasingly global and digital business landscape, companies enter partnerships with service providers who can implement and manage areas such as IT or accounting.

Before a company hands over the keys to its infrastructure or accounts, it must gain comfort that its partner is trustworthy, secure, and operating according to industry requirements.

A SOC report is the “trusted handshake” between service providers and their clients. Our experienced team can guide you step-by-step through the entire process, from the SOC Readiness Assessment to delivery of the final report.

PHASE 1:

PLANNING THE SOC

The biggest challenge in starting the conversation about the need for a SOC is justifying the cost to people who don’t understand the threat landscape or the value of being proactive rather than reactive about security.

PHASE 2–3:

DESIGNING AND BUILDING THE SOC

Once the planning phase is complete, the next step is designing the SOC. The designing and building steps are almost inextricably linked, and technology selection is a major part of both phases for the future SOC. One important focus is how the SOC will collect data.

PHASE 4:

OPERATING THE SOC

Once the SOC is built, it is time to move into the operation phase, also known as the “go live” phase. It is critical that the new SOC overcome some key challenges before the go-live date:

• First, it is important to validate that the SOC still has executive sponsorship.
• Processes will be challenging since some will be new and need to be tested.
• Technology needs to be checked to ensure that everything is functioning properly.
• Training may be needed for team members who are responsible for using and maintaining the solutions.

PHASE 5:

REVIEWING THE SOC

Once the SOC has gone live, the final phase is reviewing how successfully the SOC is operating, as well as identifying areas of improvement. Reviewing your SOC is not very different from reviewing any other critical and costly business function. The following five-step method works well to develop a report that can be used for updating leadership on the current state of the SOC:

1. Determine the review’s scope — This can include all aspects of the SOC as part of a comprehensive review, but it is often more helpful to limit the scope to focus on particular areas.
2. Determine participants. You need to understand who will perform and participate in the review. The specific participants may depend on the scope of the review.
3. Establish a clear methodology. You need a clear methodology to guide any review, along with expected outcomes and deliverables based on a predetermined template.
4. Determine frequency. Decide how frequently to perform such reviews. Certain types of reviews may or should occur more often. For example, performing frequent post-incident reviews within the first 72 hours of an incident is recommended, so that the people involved don’t forget specific events associated with the incident.
5. Prioritize results and action items. Any areas for improvement and related action items need to be prioritized, executed and followed up to ensure that necessary changes are completed.

With all these requirements, it is easy to see why SOCs might fail to fulfil their initial promise.

No SOC is perfect, but a healthy SOC can evolve for the better. Efforts to maintain, review, and improve your SOC are fundamental to its long-term viability. Remember, running a SOC is a journey, not a destination.

SOC 1

SOC 1 reports address a company’s internal control over financial reporting, which pertains to the application of checks-and-limits. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a third party vendor’s accounting and financial controls. It is the metric of how well they keep up their books of accounts.

SOC 2

SOC 2 is the most sought-after report in this domain and a must if you are dealing with an IT vendor. It is quite common for people to believe that SOC 2 is some upgrade over the SOC 1, which is entirely untrue. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC):

1. Privacy
2. Processing Integrity
3. Security
4. Confidentiality
5. Availability

SOC 3

SOC 3 is not some kind of upgrade over the SOC 2 report. It may have some of the components of SOC 2; still, it is entirely a different ball game. SOC 3 is a summarized report of the SOC 2 Type 2 report. So, yes, it is not as detailed as SOC 2 Type I report, or SOC 2 Type II reports are, but a SOC 3 report is designated to be a less technical and detailed audit report with a seal of approval which could be put up on the website of the vendor.

OTHER SOC STANDARDS

ISAE 3402 AND ISAE 3000

ISAE 3402 & ISAE 3000 are standards of the International Federation of Accountants (IFAC). These standards can be used to provide assurance on outsourcing, more specifically:

ISAE 3000

International Standard on Assurance Engagements 3000 — Assurance engagements other than audits or reviews of historical financial information.

ISAE 3402

International Standard on Assurance Engagements 3402 — Assurance reports on controls at a service organization.

CSAE 3000 / CSAE 3416

Standards for Assurance Engagements (Closed for Comment) The AASB issued an exposure draft proposing to adopt International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements Other Than Audits or Reviews of Historical Financial Information as Canadian Standards on Assurance Engagements (CSAE) 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information, and to issue a new CSAE 3001, Direct Engagements. CSAE 3416 reports are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

TYPE 1

Technically known as a ‘’Report on Management’s description of Service Organization’s System and the Suitable of the Design of Controls’’, the Type 1 Report gives you, working as the user auditor, the opportunity to perform critical risk assessment procedures to learn whether you can achieve the related control objectives on a specific date. The report also provides a description of your organization’s system and how it functions to achieve the goals you set to serve your customers. With the Type 1 Report, you also receive an opinion on the fairness of your system and the design of the controls.

TYPE 2

Officially known as a “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls,” the Type II report contains all the same information as the Type I report, but it adds in a different element. The Type II report addresses the design and testing of the controls over a period of time, which is most often six months, as opposed to the specific date used in a Type I report. It also describes the testing performed and the results . This type of report is far more rigorous and intensive than Type I, as it covers a greater span of time and requires that your auditors perform a more thorough investigation of your system’s design and processes.

In our experience, the SOC 2 is increasingly valuable in business to business compliance and assurance. It continues to expand in usefulness as a tool to meet other requirement standards (i.e. GDPR, HIPAA & PCI) that require detailed oversight of third-party vendors. We are seeing many businesses expand from a basic SOC 2 Security report to SOC 2 Security+ HITRUST or SOC 2 Security, Availability and Confidentiality. This demonstrates that they are expanding their control environment and better protecting their responsibilities to their customers.

WHAT DETERMINES THE PRICING OF A SOC REPORT?

The pricing of a SOC report is dependent on many factors such as the number and type of controls in place, the complexity of the system and related control environment, etc. A Type-2 report costs more than a Type-1 due to the levels of testing and documentation required.

WHICH ORGANIZATIONS NEED A SOC REPORT?

Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.

Our time estimation and time frames are divided into the following phases:

Phase 1:
Initial Planning including the understanding of expectations and reconfirmation of scope.

Phase 2:
Understand System & Perform Design Assessment –Performing control identification/ validation and walkthroughs.

Phase 3:
Perform Assessment — Fieldwork and sample-based testing.

Phase 4:
Communicate Results –Discussion on issues and working on the final deliverable.

Phase 5:
The SOC 2 Type2 Reporting Phase.