A SOC report stands for System & Organizational Controls. These reports are internal control reports that outline the services that are being provided by a service organization and the controls related to the service that is being offered. This provides valuable information to potential customers and allows the service organization to build trust and confidence around their service offerings.
With the change from SAS 70 to SSAE 16 and now to SSAE 18, there are now several types of reports that can be issued. SOC 1 Reports fall under the guidance of SSAE 18, while SOC 2 Reports fall under the guidance of AT Section 101. Below is a brief summary of each of these SOC reports:
A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management.
Within SOC 1 reporting, there are Type 1 and Type 2 reports. The Type 1 report identifies the controls at a service organization but does not perform any testing to determine if the controls are operating effectively. Type 2 reports identify the controls and report on the operating effectiveness of these controls based on the testing performed.
An AT 101 SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles. The five trust principles are:
The AT 101 SOC 2 report can cover any or all of these principles. A SOC 2 report is typically provided to customers to give them comfort over the controls surrounding the trust service principles. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available within SOC 2 reporting.
A SOC 3 report is the same procedures as a SOC 2 Type 2 report without the details on the controls. This report is typically used for marketing purposes and there are no restrictions on whom this report can be provided.
A Service Auditor's Report can help a service organization to:
For Organizations new to the AT 101 SOC 2 process or organizations interested in reviewing high risk areas that may have emerged since their last audit, Compass IT Compliance offers the AT 101 SOC 2 Readiness Assessment.
Services are performed by skilled professionals who have experience in risk and control oriented audits and information security to validate, prior to an actual service audit, the different criteria for the 5 Trust Services Criteria defined in conjunction with your CPA firm, ensuring your preparedness and future success for this type of engagement, and reducing the possibility of a qualified opinion or reporting exception.
The Compass Readiness Approach is a multi-step assessment process outlined below.
The first important step is to review the customer scope of the AT 101 SOC 2. Compass will review the existing control environment and supply guidance with management’s description of controls. The importance of this step is to become familiarized with the company and the personnel, systems and business processes involved in delivering these products and services to their customers. Compass will evaluate existing controls in areas such as infrastructure, software, people, procedures, and data.
Compass will provide the necessary clarity around required remediation work prior to your organization’s AT 101 SOC 2 engagement (Type 1 Report).
Compass can assist with engaging a CPA firm to complete the required Attestation documentation. Compass will partner with you and your organization throughout this crucial final step to ensure a smooth process.
The AT 101 SOC 2 report deals specifically with controls related to Security, Confidentiality, Privacy, Availability, and Processing Integrity and are known as the 5 Trust Service Principles. Developed by the AICPA and replacing the SAS 70, the AT 101 SOC 2 reports provide organizations with a broad range of information and assurance in regards to the controls and organization has in place for their systems that deal with the information processed by these systems. Some examples of organizations that would require or benefit from a SOC 2 report include:
The AT 101 SOC 2 Type I report is a report on management's description of the system(s) in scope and the suitability and design of the controls related to the Trust Principle's in scope.
The AT 101 SOC 2 Type II Report is more detailed. The Type II report includes the statement's above, related to a Type I report, but takes it a step further to outline the operating effectiveness of the controls in place over a period of time, not less than 6 months.
Compass IT Compliance partners with leading CPA Firms to assist organizations through the AT 101 SOC 2 reporting process to ensure that they are prepared and receive the proper attestation. For more information on how Compass IT Compliance can assist your organization, please contact us for an initial consultation.
