System and Organization Control (SOC) Reporting Services

SOC Q&A

SOC 1

SOC 2

SOC 3

SOC for Cybersecurity

SOC for Supply Chain

SOC Q&A

What is a SOC report?

SOC reporting is a valuable tool. Organizations can assure their customers of internal processes, policies and procedures over security, ensure vendors comply with their standards, and obtain assurance around their cyber security program.

There are several types of SOC reports, each one addressing specific needs of an organization’s SOC report users.

  • SOC 1
  • SOC 2
  • SOC 3
  • SOC for Cybersecurity
  • SOC for Supply Chain

Why would my organization want to issue a SOC report?

  • How much time do you spend performing customer-requested audits or filling out customer vendor questionnaires?
  • Do agreements with your customers require your company to provide assurance in the form of a SOC 1 or SOC 2 report?
  • Do you process sensitive customer data or provide services to organizations involved in a supply chain?

For all these reasons, and many more, your organization should consider whether a SOC report would provide customers and stakeholders with the necessary information to meet customer and other user’s needs while reducing the time spent completing individual customer-requested audits, filling out vendor questionnaires, etc.  A SOC report provided to your organization’s customers increases not only transparency but also builds trust with users that interact with the services your organization provides.

Does your organization ensure high volumes of client and stakeholder requests for assurance?  Does your company need assurance from the vendors that handle your sensitive data?

  • SOC helps you stay a step ahead of uncertainty
  • Reduce compliance costs and time spend on audits and filling out vendor questionnaires
  • Meet contractual obligations and marketplace concerns through flexible, customized reporting
  • Proactively address risks across your organization
  • Increase trust and transparency to internal and external stakeholders

 

Contact Us

  • Cindy Psuik
  • SOC Expert
  • cindyp@squire.com

SOC 1

If your organization needs to report to regulators on controls over financial reporting, a SOC 1 report is the appropriate report for your organization.  Examples of SOC 1 reports include employee benefit plans, third-party administrators, payroll processing organizations, hosted software applications are just a few which process financial data included in the financial statements of your customers.

  • Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting.
  • Scope: Controls related to the accuracy of financial data and information technology general controls.
  • Audience: User organization's financial executives, compliance officers and financial statement auditors

SOC 2

If your organization is entrusted with a customer’s sensitive or confidential data, a SOC 2 report is the appropriate report for your organization.  A SOC 2 report provides user organizations with assurance over the critical systems used to deliver outsourced services and is typically used by customers for vendor risk management requirements surrounding security.  SOC 2 reports cover controls over security, availability, confidentiality, processing integrity and privacy. 

  • Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
  • Scope: Governance, operational and information technology general controls that address one or more of the TSC categories: security, confidentiality, availability, processing integrity and privacy
  • Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners
  • Additional Criteria: SOC 2 reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others.

SOC 3

If you need a simple, easy to understand report to enhance your marketing efforts and to share with anyone, a SOC 3 report is the appropriate report for your organization.  Typically, a SOC 3 report is issued in conjunction with a SOC 2 report.

  • Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
  • Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
  • Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization

SOC for Cybersecurity

If your organization’s board of directors would like assurance over your organization’s cyber security program, a SOC for Cybersecurity report is what you need.

SOC for Supply Chain

The AICPA is currently developing a SOC for Supply Chain for reporting on an organization’s system and controls for producing, manufacturing, or distributing goods to understand the risks in an organization’s supply chain.





Contact Us