What is a SOC Audit and Why do I Need One?

SOC Audit Overview

As defined by the American Institute of Certified Public Accountants (AICPA), System and Organization Control (SOC) reports are a suite of reports produced as part of an audit or attestation examination of your company’s internal controls—the processes your company has put in place to ensure sensitive information, especially financial data, is accurate and the data is protected and handled appropriately. SOC reports can provide a means for understanding where an organization may need additional processes and rules to protect its organization and the data it stores. All SOC reports framework falls under and offers recommendations for improvement, control development, and monitoring, which are keys to SOC compliance.

SOC 1 Reports

How does an organization decide which SOC report is right for them? There are three different SOC reports, SOC 1, SOC 2, and SOC 3. In addition, SOC 1 and SOC 2 reports can be Type l or Type ll. SOC 1 reports are based on the SSAE 16 reporting standard and cover financial statement controls. SOC 1 audits focus on financial transactions and financial statement data to see how well the internal controls are designed to prevent mistakes. SOC 1 is designed to provide the assurance customers need in their service providers when undergoing their own financial audits. SOC 1 audits have a limited scope and are not designed to look broadly across the security and privacy of all data. Some examples of a SOC 1 report scope include payroll processing, medical claims processing, accounts receivable/payable, and loan servicing companies. This is not the type of audit that should be conducted if sensitive data is being stored.

SOC 2 Reports

A SOC 2 report is directed toward the non-financial controls. This report is based on one or more of the five Trust Services Criteria; security, availability, processing integrity, confidentiality, and privacy. The Security controls demonstrate that your service organization has taken deliberate steps to protect the information you have access to. The Availability controls should ensure that systems are available for use by clients as agreed upon. Processing Integrity controls should ensure that information is processed completely and accurately and that checks and balances are in place to identify / correct processing errors. Confidentiality controls should cover not only how confidential data will be used and how the data is stored, but how it is secured while in transit or when it is being deleted. Lastly, the Privacy controls are related to the protection of personal information and the rights users have regarding their personal data.

The company being audited for a SOC 2 report selects which of the Trust Service Criteria they want to include based on their business model, with security being the only required criteria. A SOC 2 report is important for organizational oversight, regulatory oversight, risk management processes, and vendor management programs. Many companies have come to rely on the results of SOC 2 audits to help them evaluate the efficacy of security controls for their vendors, partners, and service providers. A SOC 2 report is also a prerequisite for service organizations that partner with a tier-one supply chain organization, such as data centers, software as a service (SaaS) providers, and network monitoring service providers. SOC 2 reports can also be used by customers or potential customers to understand the details of processing and security controls in place at a service organization.

SOC 2 and SOC 3 audits cover the same control types and scope but include varying levels of information in the report. A SOC 3 report is similar to a SOC 2 in that it focuses on security, confidentiality, processing integrity, availability, and/or privacy controls. The main difference is that SOC 3 reports are written specifically for the purpose of being widely shared and are therefore written generically for a broader audience.

Which is Right For Your Business? 

So how do you decide which SOC audit to conduct? The answer is simpler than you may think! If you need to audit your financial systems, then a SOC 1 audit is what you need. If you are not auditing financial systems then a SOC 2 audit is more fitting.

As previously mentioned, SOC 1 and SOC 2 audits are either Type l or Type ll. A Type l audit is a point in time and does not test the operating effectiveness of the controls over time. A Type II audit does measure the operating effectiveness of controls over a specified audit period. The general recommendation is to conduct a Type I audit first and then conduct a Type II audit anywhere from 3 months to 1 year later.

When preparing for a SOC audit, the first step is to decide which SOC audit (SOC 1, SOC 2, or SOC 3) you want to conduct and what audit period (Type I or Type II) you want to cover in the report. Are you being asked to provide a SOC report by a customer or potential customer? If so, they will likely request a specific report and reporting period. Once you know which SOC audit you want to perform and over which dates, the official process begins with a SOC readiness assessment. A SOC readiness assessment is conducted by reviewing your documented policies and procedures and comparing them to your operating controls to identify any gaps, deficiencies, or other potential red flags. Remediation, compensating controls, or changing the audit control scope are all valid options for addressing any issues found during the readiness assessment.

After all identified gaps have been addressed, it is time to conduct the SOC audit. SOC audits generally take about 3 months to complete, and timing will depend on the type of audit you are conducting (Type 1 or II) as well as the reporting timeframe (point in time, 3 months, one year, etc.). Every SOC report will include the auditor’s opinion about whether the description of controls provided by the company was presented fairly and designed effectively. To this end, management must provide an assertation letter that describes the system and level of service expected by the system user for inclusion in the SOC report. If the auditor found that the company represented its design and operating efficiency in a fair and accurate manner, the report will be unqualified. An unqualified opinion is the equivalent of a gold star. Conversely, a qualified opinion means that there were significant discrepancies found between the company’s statements and reality. An adverse opinion is when there are multiple control failures or when the entire objective is not being met. Receiving an unqualified report does not mean no exceptions exist, it just means the exceptions did not materially affect management’s representation of the system and its level of service.

Purpose Behind SOC Reports

SOC reports are meant to help organizations get a better understanding of the level of risk involved with important business and security decisions. It is up to the report reader (your customer, vendor, service provider, etc.) to determine if the auditor’s observations and opinion are based on exceptions/deficiencies the reader considers to be impactful or not.

SOC audits do not provide a pass or fail result, rather they provide independent and actionable feedback about an organization’s internal controls and safeguards. A SOC audit can provide you with the resources you need to identify blind spots or inefficiencies in your internal processes and security controls. Planning and preparation are the keys to a great defense within any organization. The information you receive from conducting a SOC audit can be used to fuel internal discussion about potential risks and how to mitigate those risks.

Here at MegaplanIT, we have many years of experience conducting security assessments, from NIST to HIPAA to PCI to SOC. We can guide your organization through every step of your assessment process, including audit preparation, onsite assessment of data flows and processes, policy and procedure development, and control validation. Call us today to speak with industry-certified experts and learn how we can keep your data secure.