When considering the broad spectrum of services provided by outsourced service providers in today’s marketplace, some service types lend themselves clearly to one SOC reporting option over another. To best understand the reporting options, it’s important to consider the intended use and audience in each case. There are three SOC reporting options currently available in the marketplace – SOC 1, 2 and 3. The SOC reporting options each allow management of a service organisation to provide a level of transparency around their internal controls to their customers and/or perspective customers.
SOC 1 – SOC for Service Organization: ICFR
These report on Controls are relevant to Internal Control over Financial Reporting. For example, traditional payroll processing, claims management, and payment processing lend themselves to SOC 1 reporting due to their direct relationship with customers’ financial reporting processes and Its purpose is to support the financial statement audit of the customer. Intended audience for the report are Service organisations, user organisations, and auditors of the user organisations.
Each SOC option can be prepared as a point in time assessment of control design (Type I) or assessment of design and operating effectiveness over a period of time (Type II).
There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period (Minimum of six months).
SOC 2 – SOC for Service Organizations: Trust Services Criteria
SOC 2 reports focus on the Outsourced Service Providers (OSP’s) controls that are relevant to American Institute of Certified Public Accountants’ (AICPA) Trust Service. Organisations that successfully complete a SOC 2 audit can offer their clients reasonable assurance that an independent reviewer has assessed their controls that relate to Security, Availability, Confidentiality, Processing Integrity and Privacy.
Intended audience for the report: Stakeholders of the system—for example, management, customers, and business partners
Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed and so provides a high level summary of information due to its unlimited distribution.
Intended audience for the report: Any interested parties.
About E Com Security SOC 2 Reports
E Com Security Solutions is recognised as one of the market leaders in security, privacy, and internal control services. We have a dedicated practice of risk and control specialists with deep industry focus and experience. We have assisted over 1000 Organisations on SOC 2 Reports and our opinion stating that your operating controls meet SOC 2 standards is likely to reinforce customer confidence in your company.
We use tailored approach that works for you – reducing the effort needed to gather required information while also helping you and your staff gain a clearer understanding of the SOC 2 requirements. We also have our proprietary processes, templates, and deliverables which allow us to accelerate every phase of the audit and reporting process while keeping you up-to-date in all phases of the engagement.