SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for Service Organizations (organizations that provide certain functions for other entities on an outsourced basis). The SOC audit reports are typically required by and provided to the customers of the service organizations (user entities). SOC audits have only been available since June 2011. Prior to that time, the audit standard that was available for service organizations was Statement for Auditing Standard no. 70 (SAS 70). SAS 70 audit reports were developed by the AICPA in the early 1990s to fill a need for the types of outsourced services that were prevalent then and they only addressed the Control Objectives and the supporting control activities that were applicable to financial reporting. The business process and information technology outsourcing landscape have changed significantly since the 1990s and all of the needs of the current market place were not being properly addressed by the old SAS 70 reports. To meet the needs of the current marketplace, the SAS 70 standard was superseded by the Statement on Standards for Attestation Engagements no. 16 (SSAE 16) in June 2011, which further got superseded by the current standard – SSAE 18 effective May 1, 2017.
A SOC 1SM report is focused on internal controls over financial reporting and is the closest reporting standard to the former SAS 70. This option is suited to service organizations that process financial transactions or financial related data for their customers. SOC 1SM reports include control objectives, supporting information technology and business process control activities that the service organization believes are relevant to its user organizations and the independent auditors of the user organizations.
A SOC 2SM report is focused on service organization controls related to compliance or operations and addresses issues such as Security, Availability (uptime), Processing Integrity, Confidentiality, and Privacy. SOC 2SM audit reports address the concerns of user entities that utilize a service organization to provide services that are not related to financial reporting. Typical examples are data hosting, software-as-a-service (SaaS providers) or cloud-based entities.