Many businesses rely on service organizations to provide needed services that require access to personally identifiable information (PII) of employees, customers, and suppliers. This often includes payroll providers, financial institutions, retirement plan administrators, credit card companies, and insurance claims administrators. When dealing with PII it is essential to ensure the proper cybersecurity and data protection measures exist to ensure security. The combination of cybersecurity issues and pandemic-related disruptions have created pressure to demonstrate systems and controls are effective. As a result, many are asked by customers to provide a SOC report which provides assurance companies are taking the necessary steps. There are two types of reports including a SOC 1 report and SOC 2 report, which serve different purposes. To help clients, prospects, and others, Calvetti Ferguson has provided a summary of each below.
Who Is Subject to SOC Audits?
All service organizations may need a SOC audit at one point or another. Specifically, technology companies and software providers are frequently asked to independently verify their controls. Other service organizations that may be subject to SOC audits include:
- Payroll providers
- Third-party administrators
- Data companies
- Loan servicers and collection companies
- Medical claims businesses
- Other financial services and technology providers
Customers can request a SOC report or require it as part of the contract. Once an organization determines that a SOC audit is necessary, the next step is to determine which type of report is best suited for the desired outcome.
First, it is important to understand the difference between a SOC examination and the accompanying report. Typically, independent auditors perform the examination, which is the process of evaluating controls, and then the auditor issues the report, which is used by management, customers, or other stakeholders.
SOC 1 Reports
SOC 1 reports are designed to assess financial reporting risks in systems and controls at a certain point in time. These reports are best suited for service organizations that have never been audited before or perhaps recently overhauled internal controls or service offerings. SOC 1 reports are intended for internal management and auditors.
Within SOC 1 reports, there are two types: I and II. Type I reports test the controls at a certain date but do not seek to validate their effectiveness, whereas Type II reports cover a specified period and evaluate control effectiveness.
SOC 2 Reports
SOC 2 reports analyze controls against the AICPA’s Trust Services Criteria, which are:
- Processing Integrity
These criteria serve as a foundation by which auditors can evaluate and compare how well an organization’s systems and controls are functioning. The auditor may use one or all of the five criteria to evaluate systems and controls effectiveness, depending on the specific organization. Unlike SOC 1 reports, SOC 2 reports cover an extended period.
The reports are intended for external stakeholders, like customers, those charged with governance, and regulatory oversight. Management and the auditor should decide before the examination who the intended audience is so the scope can be adjusted accordingly. SOC 2 reports provide the highest level of transparency when performed annually, as evidence of an organization’s continued commitment to security.
Like SOC 1 reports, there are two types of SOC 2 reports. Type I determines whether the systems and controls are fair at a given point. Type II goes a step further and assesses how well the controls are operating over a reporting period, like 12 months.
Since SOC 2 reports go into more detail and depth than SOC 1 reports, service organizations may be required to disclose the significant effects of COVID-19 or going concern issues. This could come up if the organization was forced to substantially change its operations, systems, or controls – either related to COVID-19 or another significant event.
There are several important differences between SOC 1 and SOC 2 reports and the various types offered. For this reason, it is important to consult with a qualified provider to help identify the right SOC report for your needs. If you have questions about the information outlined above or need assistance with a SOC or cybersecurity issue, Calvetti Ferguson can help.