What is System and Organization Controls (SOC)?

System and Organization Controls (SOC) is a suite of reports created via a formal audit. There are three types of System and Organization Controls (SOC) audits.

1. SOC 1: This report concerns internal controls of financial reporting. It is focused transaction and security processing controls.

2. SOC 2: A SOC 2 is ideal for businesses whose regulators, auditors and executives require documented standards. The report focusses on security controls of an organization.

3. SOC 3: This report is a simplified version of SOC 2 reports. It is a lesser formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns. This report can be distributed to the general public.

In addition to the above three, there are specialized System and Organization Controls (SOC) reports for Cybersecurity and Supply Chain. SOC 1 and SOC 2 reports are proposed for a restricted audience. It is consumed by users with adequate understanding of the system that is audited.

These reports can play an important role in:
a. Oversight of the organization
b. Vendor management programs
c. Internal corporate governance and risk management processes
d. Regulatory oversight

There are two levels of System and Organization Controls (SOC) reports which are also specified by SSAE no. 18

System and Organization Controls (SOC 2) Type 1

This type of report concerns an organization’s systems, policies, procedures and controls at a certain date in time. Example compete status as of 1st Aug only. It does not look into any other period of time.

System and Organization Controls (SOC 2) Type II

This type of report concerns an organization’s systems, policies, procedures and controls over a period of time. Usually, the minimum period of time is 6 months. This period of time is specified before start of the audit. Example Six months for a report dated 31st Aug. The time period for the audit will be 1st March to 3st August.

The AICPA Assurance Services Executive Committee (ASEC) has developed a set of criteria for managing customer data by an organization. The criteria are termed Trust Service Criteria or TCS as commonly known. The criteria have been aligned to the 17 criteria (known as principles). The Trust Service Criteria are classified into the following categories:

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives;

Availability: Information and systems are available for operation and use to meet the entity’s objectives;

Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives;

Confidentiality: Information designated as confidential is protected to meet the entity’s objectives; and

Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

The supplemental criteria, which apply to the achievement of the entity’s objectives relevant to a trust services engagement, are organized as follows:
• Logical and physical access controls. The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access

• System operations. The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations

• Change management. The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made

• Risk mitigation. The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners

The System and Organization Controls (SOC 2) Type II is usually conducted by a licensed Certified Public Accountant (CPA) firm who specialize in information security audits. Under the attestation standards, the CPA performing an attestation engagement is known as a practitioner. However, many information security companies conduct the audit. A CPA has to review the report and approve. Without a CPA sign off the report is not construed as a valid report. It is imperative that the report is created by a practitioner or team of practitioner who have experience and knowledge of information security. Client should read the team members resume and look for Certifications such as CISA or CISSP.

The System and Organization Controls (SOC 2) Type II audit process involves:
Reviewing the audit scope;
Developing a project plan;
Testing controls for design and/or operating effectiveness;
Documenting the results; and
Delivering and communicating the client report.

A System and Organization Controls (SOC 2) audit report includes:

An opinion letter;
Management assertion;
A detailed description of the system or service;
Details of the selected trust services categories;
Tests of controls and the results of testing;
Optional additional information.