Providing trust and assurance to stakeholders through a SOC 1 or SOC 2 review requires carefully and clearly articulated information on controls.

If your organization provides outsourced services to other businesses, it is likely that you will be requested to demonstrate that you maintain a sound environment of internal control over the transactional data you manage or systems you host on their behalf.

A System and Organization Control (SOC) attestation is an examination performed by an independent accounting firm. The primary objective of a SOC attestation is to provide transparency related to a service organization’s internal control structure, and to provide assurance regarding the design and operating effectiveness of the controls that are in place.

A SOC attestation results in a published report that includes any control exceptions or failures.

A SOC 1 examination is focused on services that are relevant to customers’ internal controls over financial reporting. Organizations that provide services that directly impact financial reporting such as payroll processing, revenue reporting, debt collections or loan servicing, provide A SOC 1 report to their customers. Technology companies, such as accounting software providers or data centers, who provide infrastructure for financially relevant systems, may also consider A SOC 1 report.

SOC 1, Type 1

A Type 1 report focuses on the design of controls as of a point in time. With this attestation, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services as it pertains to their users, and that those controls have been implemented as of a specific date.

What to expect in your Type 1 attestation report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. Identification of controls that were designed and implemented as of the examination date

SOC 1, Type 2

A Type 2 report focuses on controls operating effectively over a period of time. Similar to a type 1 attestation, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services, as it pertains to their users, and that those controls have been implemented as of a specific date. In addition, management would need to demonstrate that those controls were operating effectively throughout a period of time, typically between six and 12 months.

What to expect in your Type 2 attestation report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. A summary matrix that includes the service auditor’s test procedures for each key control activity, the results of those procedures, as well as any identified exceptions

A SOC 2 examination evaluates an organization’s information systems relevant to one or more Trust Services Principles (TSPs). These reports are typically best suited for companies that provide services that are operational in nature. The security, availability, processing integrity, confidentiality and privacy TSPs are designed to work together to represent different aspects of system reliability. Criteria relevant to all five principles are called “common criteria” and the security principle encompasses all of these criteria. The four remaining TSPs — availability, processing integrity, confidentiality and privacy — have individual criteria that must be evaluated in addition to the common criteria.

The baseline of any SOC 2 is the common criteria, which are organized as follows:

  • Organization and management
  • Communications
  • Risk management and design and implementation of controls
  • Monitoring of controls
  • Logical and physical access controls
  • System operations
  • Change management

SOC 2, Type 1

A Type 1 report focuses on the design of controls as of a point in time. With this audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services as it pertains to their users, and that those controls have been implemented as of a specific date.

What to expect in your Type 1 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. Identification of controls that were designed and implemented as of the examination date

SOC 2, Type 2

A Type 2 report focuses on control operating effectively over a period of time. Similar to a type 1 audit, management is responsible for demonstrating that they have designed controls appropriately to mitigate the risks related to their services, as it pertains to their users, and that those controls have been implemented as of a specific date. In addition, management must demonstrate that those controls were operating effectively throughout a period of time, typically between six and 12months.

What to expect in your Type 2 audit report:

  1. The service auditor’s opinion
  2. Management’s assertion
  3. Management’s description of their internal control processes
  4. A summary matrix that includes the service auditor’s test procedures for each key control activity, the results of those procedures, as well as any identified exceptions

A SOC 3 examination is intended for general public consumption and may be posted on your company’s website or other public channel. Common uses for SOC 3 reports include marketing and vendor due diligence. Similar to A SOC 2 attestation, A SOC 3 attestation evaluates an organization’s information systems relevant to one or more Trust Services Principles (TSPs). These reports are typically best suited for companies that provide services that are operational in nature. The security, availability, processing integrity, confidentiality and privacy TSPs are designed to work together to represent different aspects of system reliability. Criteria relevant to all five principles are called “common criteria” and the security principle encompasses all of these criteria. The four remaining TSPs — availability, processing integrity, confidentiality and privacy — have individual criteria that must be evaluated in addition to the common criteria.

The baseline of any SOC 3 is the common criteria, which are organized as follows:

  • Organization and management
  • Communications
  • Risk management and design and implementation of controls
  • Monitoring of controls
  • Logical and physical access controls
  • System operations
  • Change management

A SOC 3 examination must be performed over a period of time. A SOC 3 attestation is often performed as an add-on service to A SOC 2, Type 2 engagement. Unlike the other SOC options, A SOC 3 report is very brief and only contains high-level information that is appropriate for a board audience.

What to expect in your SOC 3 attestation report:

  1. An abbreviated service auditor’s opinion
  2. An abbreviated management’s assertion
  3. A summary of management’s description of their internal control processes

Technology and Risk Advisory Contacts:

Paul Schmidt

Partner,
CPA, CA, CITP, Information Technology


Email: pschmidt@wm.ca

Phone: 604-691-6826

Killian Ruby
Partner, CPA, CA, I.A.C.T,
Audit and Accounting

Email: kruby@wm.ca

Phone: 604-691-6881


Vaclav Vincalek

Managing Director,
Technology & Advisory Services


Email: vvincalek@wm.ca

Phone: 778-945-2996

Recent Articles:

Rekor Launches New AI School Security and Student Safety Software

Rekor Launches New AI School Security and Student Safety Software ... OnGuard enhances student safety by identifying and assessing threats ...
Read More
/ Cyber Security News

Global Web Application Firewall (WAF) Market Size – Industry Insights Top Trends Drivers Growth …

The leading competitors functioning in the Global Web Application Firewall (WAF) Market are focusing on expansions, ... The report provides ...
Read More
/ Cyber Security News

Financial Analysis: ChannelAdvisor (NYSE:ECOM) vs. Rapid7 (NYSE:RPD)

Further, the company provides consulting services in the areas of cyber security maturity assessment, incident response program development, ...
Read More
/ Cyber Security News

Thousands of Movie Pass subscribers have info exposed in data breach

A cyber-security expert reportedly discovered the un-encrypted database of 161 million pieces of information, including personal credit card details, ...
Read More
/ Cyber Security News

7 IT security best practices to know to prevent data breaches

Imagine a hacker trying to break into a secure system. You often envision an expert programmer make attempts at a ...
Read More
/ Cyber Security News

Internet ‘bazaar’ announces it’s selling card data stolen in Hy-Vee data breach

... stolen during a data breach at Hy-Vee went on sale this week at a site that traffics in stolen ...
Read More
/ Cyber Security News

Work-From-Anywhere Cultures Need Work-From-Anywhere Security: The Value of a Managed …

Learn how partners can help secure mobile workforces. ... however, a data breach could outweigh the potential benefits of a ...
Read More
/ Cyber Security News

The Top Cyber Security Trends in 2019 (and What to Expect in 2020)

Verizon's 2019 Data Breach Investigations Report (DBIR) reports that 32% of confirmed data breaches boiled down to phishing, and 78% ...
Read More
/ Cyber Security News

Incident Of The Week: Millions of Hy-Vee Customer Payment Cards Appear For Sale Online

The online “dump” of payment card data appeared online under the breach ... according to reports and images shared with ...
Read More
/ Cyber Security News
Loading...