A System and Organization Controls (SOC) audit is an Internal Control report that is performed for Service Organizations.The purpose of a SOC audit is to help businesses more easily manage their customers’ cybersecurity requirements, and to demonstrate a commitment to protecting client data. A SOC report is typically required by — and subsequently provided to — the clients and customers of service organizations, often in lieu of lengthy and complicated digital security questionnaires.
SOC audit services have only been available since mid-2011. Prior to that time, the only SOC compliance standard that was available for service organizations was the SAS 70. Since then, the outsourced business process and information technology outsourcing landscape has changed significantly. To meet the needs of the current marketplace, the AICPA created four primary types of SOC reports:
A SOC 1 report is a restricted use internal control audit that’s focused on outlining an organization’s internal controls over financial reporting. Of all the SOC audits, it’s the closest reporting standard to the former SAS 70. This option is suited for service organizations who process financial or financial-related data for their customers. SOC 1 reports describe the control objectives that directly support information technology and business process control activities. As a restricted use report, the SOC 1 audit can only be distributed to current customers and their auditors.
A SOC 2 report is also a restricted use report, but it focuses on outlining the service organization controls related to compliance and operations. It addresses issues such as Security, Availability (uptime), Processing Integrity, Confidentiality, and Privacy. SOC 2 audit reports are typically performed for companies that provide data hosting, software-as-a-service (SaaS), or cloud-based entities.
Looking to prepare for a SOC 2? Download our Ultimate SOC 2 compliance checklist today!
A SOC 3 audit follows the same general process as a SOC 2 audit but is much less comprehensive. It’s considered a general use report that can be distributed to prospects, as well as existing clients, which can be attractive. SOC 3 reports are not commonly used due to the limited value that the report provides for user auditors and for due diligence purposes.
The SOC for Cybersecurity audit is a relatively new reporting framework established by the AICPA that enables an organization to evaluate their cybersecurity risk management program on an entity-wide basis, or for a specific division. Unlike the other three types of SOC reports, the SOC for Cybersecurity audit can be performed for any business, not just service organizations. For more information about this type of audit, check out our SOC for Cybersecurity FAQ!
Organizations that are considering engaging an auditor to conduct one of these specialized SOC audits need to make the right choice. Choosing the correct report can only be assured by consulting with an expert CPA with experience in this highly specialized audit area. Withum’s SOC audit specialists would be pleased to discuss your particular fact pattern, and help you determine the appropriate SOC engagement and engagement scope that will best meet your needs and the requirements of your customers. Be sure to pick the SOC that fits!
Ready to talk about your SOC audit engagement? Contact us online, or give us a call at (609) 520-1188.