Types of SOC reports

System and organization controls (SOC)

1. SOC 1  — SOC for Service Organizations: ICFR19
2. SOC 2 — SOC for Service Organizations: Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

evaluate the effectiveness of controls relevant to the trust services category or categories included within the scope of a specific examination.

Identifying controls that address the risk that may threaten the achievement of the entity’s principal system objectives 

insights into the entity’s system and controls, aiding in understanding how the entity operates and the effectiveness of its controls in achieving its objectives.

Using Amazon and Google as short case studies, both firms receive a SOC audit from Ernst & Young for several of their services across many geographic regions (physical technology is often distributed geographically). Someone familiar with Amazon Web Services (AWS, Amazon’s cloud service) would recognize many of these services. For example, among 114 service lines, AWS’s popular Elastic Compute Cloud is included, as is its data storage service Simple Storage Service. Google likewise receives a SOC audit of Gmail, Google Calendar, and Google Cloud, among many of its other services. Other companies in the SOC audit sample include Facebook, Goldman Sachs, Oracle, and Salesforce.

companies that derive benefits from collecting and processing large amounts of data from corporate customers will likely need to design and enforce complex internal controls over data security and processing integrity. Thus, companies in technology and other data-driven industries are good candidates for realizing benefits from SOC audits. By contrast, firms that do not collect large amounts of data may forgo a SOC audit due to its cost. As a result, industry classifications are good proxies for the benefits and costs of SOC audits.

Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. Security refers to the protection of i. information during its collection or creation, use, processing, transmission, and storage and ii. systems that use electronic information to pro-cess, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.

Availability. Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its cus-tomers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance.

Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity refers to the com-pleteness, validity, accuracy, timeliness, and authorization of system processing.

Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.

Confidentiality. Information designated as confidential is protected to meet the entity’s objectives. Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries).

Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel.

Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.

Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information. The privacy criteria are organized as follows: i. Notice and communication of objec-tives. The entity provides notice to data subjects about its objectives related to privacy. ii. Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects. iii. Collection. The entity collects personal information to meet its objectives related to privacy. iv. Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy. v. Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy. vi. Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy. vii.

Quality. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy. viii. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.

System and Organization Controls for Service Organizations: ICFR (SOC 1)

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. There are two types of reports for these engagements. Type 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and implementation of the controls to achieve the related control objectives included in the description at a specific point in time. Type 2 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design, implementa-tion, and operating effectiveness of the controls to achieve the related control objectives included in the description over a minimum six-month period.

Use of these reports is often restricted to the management of the service organization, user entities, and user auditors.

System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2)

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: oversight of an important organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Similar to a SOC 1 report, there are two types of reports. Type 1 is a report on management’s description of a service organization’s system and the suitability of the design and implementation of controls at a specific point in time. Type 2 is a report on management’s description of a service organization’s system and the suitability of the design, implementation, and operating effectiveness of controls. Use of these reports is often restricted to the management of the service organization, user entities, and user auditors. 

System and Organization Controls for Service Organizations: Trust Services Criteria for General Use Report (SOC 3)

Trust Services Report for Service Organizations.

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, avail-ability, processing, integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.