If you’ve landed here, you know that SOC reports take the cake in the confusing requirements department.
We’ve put together an FAQ covering SOC reporting that we hope can relieve some of the confusion and even frustration you may be feeling. Don’t hesitate to reach out to learn more if you’re still left with questions or want to dig deeper into SOC reports.
What are SOC reports?
A System and Organization Controls (SOC) report is a verifiable auditing report performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA).
What are the Current Standards for Attestation Engagements?
The Statement on Auditing Standards (SASs) primarily provides guidance on reporting on an audit of financial statements, whereas the Statement on Standards for Attestation Engagements (SSAEs) primarily provides guidance on reporting on other subject matter.
In 2010, the AICPA introduced SSAE 16, which replaced SAS 70. It was designed to closely mirror international accounting standards. In 2016, the AICPA introduced SSAE 18, which replaced SSAE 16. The intent was to standardize attestation criteria. And then in 2022, SSAE 21 replaced SSAE 18.
When is SOC 2 more appropriate than a SOC for Cybersecurity?
SOC 2 is a voluntary compliance standard for service organizations that specifies organizations should manage customer data based on the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.
The SOC 2 is increasingly valuable in business-to-business compliance and assurance.
We’re seeing many businesses expand from a basic SOC 2 Security report to SOC 2+ that can include additional criteria or frameworks important to your customers. Expanding on the basic SOC 2 demonstrates you’re expanding your control environment and better protecting your clients.
Learn more about SOC 2.
When is SOC for Cybersecurity more appropriate than a SOC 2 report?
The SOC for Cybersecurity examination provides an independent, entity-wide assessment of your organization’s cybersecurity risk management program. It’s especially useful for larger organizations that need a measurement of their own cybersecurity posture.
It also helps to quantify risk over time for board members who want to know if cybersecurity risks are being adequately mitigated. It’s a great way to measure whether very specific controls have improved from year to year.
Learn more about SOC for Cybersecurity.
Does the SOC 2 guide require that a type 2 report cover a specified minimum period?
SOC 2 Type 2 is a period-of-time report, but the SOC 2 guide does not prescribe a minimum period of coverage for a SOC 2 report.
Practitioners need to use professional judgment in determining whether the report covers a sufficient period.
The SOC 2 guide actually gives an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of fewer than two months. In essence, it states that the service auditor should consider whether a report covering that period will be useful to users – particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis.
Is there a prescribed set of control objectives for SOC 2 and SOC 3 engagements?
In SOC 2 and SOC 3 engagements, the five Trust Services Categories (TSC) options are security, availability, processing integrity, confidentiality, and/or privacy outlined in TSC Section 100. (Originally, these five attributes of a system used to be known as principles. A few years ago, the name “Trust Services Principles” was changed to “Trust Services Categories.”) The five categories didn’t change and the same basic framework is in place for assessing the controls.
Within the five categories, there are individual criteria. They are more like requirements. The things you put in place to meet the requirements are the controls.
Learn more about SOC 2 and SOC 3 examinations.
Barnes Dennig SOC Reporting Client Locations