Frequently Asked Questions | SOC Reporting | SSAE 18

If you’ve landed here, you know that SOC reports take the cake in the confusing requirements department.

We’ve put together an FAQ covering SOC reporting that we hope can relieve some of the confusion and even frustration you may be feeling. Don’t hesitate to reach out to learn more if you’re still left with questions or want to dig deeper into SOC reports.

What are SOC reports?

A System and Organization Controls (SOC) report is a verifiable auditing report performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA).

What are the Current Standards for Attestation Engagements?

The Statement on Auditing Standards (SASs) primarily provides guidance on reporting on an audit of financial statements, whereas the Statement on Standards for Attestation Engagements (SSAEs) primarily provides guidance on reporting on other subject matter.

In 2010, the AICPA introduced SSAE 16, which replaced SAS 70. It was designed to closely mirror international accounting standards. In 2016, the AICPA introduced SSAE 18, which replaced SSAE 16. The intent was to standardize attestation criteria. And then in 2022, SSAE 21 replaced SSAE 18.

What are the two types of SOC reports?

A SOC 1 report is designed to address controls over financial reporting. Providing services that impact the financial statements of clients or customers typically results in the need for a SOC 1 report. Common examples include payroll processors and collections agencies. It’s also possible to do a SOC 1 report that simply covers IT General Controls.

A SOC 2 report is focused on a control environment built on controls that that meet the relevant SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality and/or privacy).

To complicate things, each type of report can be completed as a Type 1 or a Type 2. A Type 1 report is controls in place at a specific point in time where the auditor opines on the design and implementation of the controls. A Type 2 report is controls in place over a period of time where the auditor opines on the operating effectiveness of the controls over that period of time in addition to design and implementation of the controls.

If there are only two types of SOC reports, then what’s a SOC 3 report?

The SOC 3 is a derivative of the SOC 2 report. SOC 3 reports are general purpose reports that can be posted online for public consumption. It’s a summary level report that leaves out a lot of the detail from the SOC 2 report.

What are the components of a SOC 1 report?

A SOC 1 report is built around the system description and related control objectives.

System Description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Control Objectives – provide a clear and structured framework for assessing whether the controls procedures were designed and operating effectively to achieve the purpose of the control objective. Here are some common control objectives:

  • Logical Access
  • Backup and Recovery
  • Physical Security
  • Network Security
  • System Development and Maintenance
  • Onboarding and Training
  • Processing of Transactions

What are the components of a SOC 2 report?

A SOC 2 report is built around the system description and related control procedures supporting the in-scope Trust Services Criteria.

System Description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Trust Services Criteria – The AICPA establishes the Trust Services Criteria. The Service Organization selects the Trust Services Criteria that are in scope. This is typically driven by conversations with customers and reviews of contracts with customers.

Originally, these five attributes of a system used to be known as principles. A few years ago, the name “Trust Services Principles” was changed to “Trust Services Criteria.”

The five categories didn’t change and the same basic framework is in place for assessing the controls. Within the five categories, there are individual criteria. They are more like requirements. The things you put in place to meet the requirements are the controls.

Control Procedures – the controls identified by the Service Organization to support the Service Organization having appropriate controls to meet the selected Trust Services Criteria.

What are the 5 Trust Services Criteria in a SOC 2 report and what do they cover?

1. Security – addresses controls related to protecting the system and data from unauthorized access, damage, or theft.

2. Availability – ensures that the system and services are available as agreed upon in service level agreements.

3. Processing Integrity – ensures that system processing is accurate, complete, and timely.

4. Confidentiality – maintaining the confidentiality of sensitive data.

5. Privacy – the collection, use, retention, disclosure, and disposal of personal information to ensure alignment with data protection laws and regulations.

When is SOC 2 more appropriate than a SOC for Cybersecurity?

SOC 2 is a voluntary compliance standard for service organizations that specifies organizations should manage customer data based on the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 is increasingly valuable in business-to-business compliance and assurance.

It continues to expand in usefulness as a tool to meet other requirement standards (e.g., GDPR, HIPAA & PCI DSS) that require detailed oversight of third-party vendors.

We’re seeing many businesses expand from a basic SOC 2 Security report to SOC 2+ which can include additional criteria or frameworks important to your customers. Expanding on the basic SOC 2 demonstrates you’re expanding your control environment and better protecting your clients.

Learn more about SOC 2.

What are the common SOC 2+ frameworks?

The AICPA provides mappings for the following frameworks:

  • ISO 27001
  • NIST 800-53
  • GDPR
  • CSA’s Cloud Controls Matrix
  • ISACA Blockchain Framework

Other frameworks and mappings exist in practice, so the list above is not comprehensive. For example, Microsoft includes German C5 (Cloud Computing Compliance Controls Catalogue) in its report.

While it may take more time, resources, and judgment, it’s possible to include other frameworks in a SOC 2+ that haven’t been mapped by the AICPA.

When is SOC for Cybersecurity more appropriate than a SOC 2 report?

The SOC for Cybersecurity examination provides an independent, entity-wide assessment of your organization’s cybersecurity risk management program. It’s especially useful for larger organizations that need a measurement of their own cybersecurity posture.

It also helps to quantify risk over time for board members who want to know if cybersecurity risks are being adequately mitigated. It’s a great way to measure whether very specific controls have improved from year to year.

Learn more about SOC for Cybersecurity.

Does the SOC 2 guide require that a type 2 report cover a specified minimum period?

SOC 2 Type 2 is a period-of-time report, but the SOC 2 guide does not prescribe a minimum period of coverage for a SOC 2 report.

Practitioners need to use professional judgment in determining whether the report covers a sufficient period.

The SOC 2 guide actually gives an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of fewer than two months. In essence, it states that the service auditor should consider whether a report covering that period will be useful to users – particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis.

Barnes Dennig SOC Reporting Client Locations

Get a SOC Quote

See Barnes Dennig ratings and testimonials on ClearlyRated
IPA Top 200 Firms

All the things that matter are always covered. In language I can understand.

— Barnes Dennig Client, 2022

I've been very pleased with the services provided and high-touch service we've received.

— Robin M., CFO

We are an ever-changing client and they work hard to understand what changes we've made, why and how they impact our SOC report.

— Barnes Dennig Client, 2021

Getting requests for your SOC report?

Talk to one of our top SOC reporting pros today.

Apply Now