One thing that seems to be certain–like death and taxes–is the ability of accountants and security practitioners to generate jargon. When the objectives of these two professions overlap, as is the case with audits, the jargon gets turned up to 11! In this context, you end up with a bunch of alphabet soup referring to specific certifications and auditing standards like SOC, SSAE-18, HIPAA, and PCI-DSS. SOC alone has a multitude of variations: SOC 1, SOC 2, or SOC 3, as well as Type 1 or Type 2. So, what does it all mean?
In this blog post, we’re going to drill down into the differences between the different SOC reports. But first, let’s take a quick look at the broader landscape of security audits.
What are the Different Types of Security Audits?
There are a few attributes that are common between all of these reports: they all are managed by a governing body, have a specific focus of interest, and have a defined audit period or validity duration.
We can break it down into the following table:
|Audit Name||Governing Body||Purpose||Audit Period or Validity Duration|
|SOC 1||American Institute of CPAs (AICPA)||Assurance of controls in Financial Reporting for mitigating fraud||Type 1: Point in time|
Type 2: Audit period. Typically, 3-12 months in the past
|SOC 2||American Institute of CPAs (AICPA)||Trust Services Criteria||Type 1: Point in time|
Type 2: Audit period. Typically, 3-12 months in the past
|SOC 3||American Institute of CPAs (AICPA)||Simplified SOC 2 report intended for a general audience.||Audit period. Typically, 3-12 months in the past|
|HIPAA/HITECH||US Government, Health and Human Services’ Office for Civil Rights||Assurance of compliance with regulations covering Patient Health Information||One year|
|PCI-DSS||Payment Card Industry||Secure access, processing and storage of credit card data. The security program, policies, procedures, systems, applications, and networks for protecting credit card data||Valid for one year from the audit.|
|ISO-27001||International Standards Organization||International Standard for Information Security Management Systems||Valid for up to three years from the audit.|
|ITIL (ISO-20000)||Axelos||Best practices framework for Information Technology Management Systems||Individuals are certified as ITIL practitioners. For companies, the ISO 20000 certification is heavily based on ITIL|
What is a SOC Report?
A service organization controls (SOC) report is a type of audit that ensures internal controls and best practices are being met by an organization. The controls audited can be related to finances, trust services, security, integrity, privacy, confidentiality, and availability. SOC reports, of which there are many types, are created and validated by third-party auditors and are meant to be an unbiased way to help potential customers and business partners understand any risks involved in working with the audited organization.
A Brief History of SOC Reports and Underlying Standards
SOC reports are one the most common types of security reports used in the United States. The different SOC reports are based upon standards written by the American Institute of CPAs (AICPA). The standard is called Statement on Standards for Attestation Engagements (SSAE-18). At least, that’s what it’s called now. The AICPA updates the standards from time to time. When the standard was first developed in 1992, it was called the Statements on Auditing Standards (SAS-70). In June 2011, it was renamed Statement on Standards for Attestation Engagements (SSAE-16). The latest version was adopted in May of 2017 and is called SSAE-18.
When SOC auditing began, the scope was limited to ensuring systems were meeting a company’s internal control objectives. The scope evolved and grew over time. Requirements were developed around protecting finance systems and ensuring the accuracy of financial reporting. And with the onset of cloud computing and Software-as-a-Service (SaaS), the standards grew again to encompass the security of third-party systems.
To add another dollop of confusion, the acronym SOC gets called a couple of different things. Sometimes it is referred to as a “Statement on Controls.” Other times it is called “Service Organization Controls.” These two terms are also lumped together into a “Service Organization’s Statement on Controls.” The key terms are service organization, statement, and controls. SOC reports are about Service Organizations, third-parties, typically other companies that are providing services you will be using, but could also be an independent service organization within the same company. Controls are the program, policies, procedures, and technical tools the Service Organization uses to manage the security of the information in its possession. And the Statement is the auditor’s assessment of the suitability of the controls and their operational effectiveness for the Service Organization.
What is a SOC 1 Report?
A SOC 1 report is meant for service organizations that have a direct impact on, or may impact, their customer’s financial reporting. It is relevant to companies that are required to adhere to the regulations contained in the Sarbanes-Oxley Act. The Sarbanes-Oxley Act was enacted in the wake of major accounting scandals including Enron and WorldCom. It covers publicly traded companies. SOC 1 reports provide assurance that the company has implemented internal controls over its financial reporting to mitigate the risk of fraud.
What is a SOC 2 Report?
A SOC 2 report has a broader purpose. Its goal is to make sure that systems are set in accordance with the Trust Services Criteria. The Trust Services Criteria or Trust Services Principles, like the SSAE-18 standards, were developed by AICPA, specifically, the Assurance Services Executive Committee (ASEC).
As noted on the AICPA website, the Criteria addresses five categories:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
What is a SOC 3 Report?
Amidst all of this, the SOC 3 report may be the easiest to understand. It’s no more than a simplified or summarized version of the SOC 2 report. It does not contain any sensitive information and is suitable for public distribution.
What are the Differences Between SOC Type 1 and Type 2 Reports?
Finally, we get to the last point of interest in this post: the difference between Type 1 and Type 2 reports. Both SOC 1 and SOC 2 reports may be Type 1 or Type 2.
Here are the three key differences:
Description vs Evidence
- Type 1 provides a description of the procedures and controls a company has implemented.
- Type 2 contains evidence of the effectiveness of the controls.
Attestation vs Validation
- Type 1 attests to the suitability of controls.
- Type 2 validates the operational effectiveness of the controls.
Point in Time vs Audit Period
- Type 1 describes procedures and controls at a point in time.
- Type 2 details how controls have operated during a period of time, the audit period.
Coming Soon: How to Read a SOC Report
I hope this post provides a basic understanding of the three SOC reports and the differences between them. Understanding what these reports are meant to do will help you understand their benefits. SOC reports are not just for businesses operating in regulated industries. At the most basic level, whether or not a company even has a SOC report is telling. Have they taken the time and expense to demonstrate their security program to an independent auditor?
Beyond that, there’s a lot of valuable information in these reports. CFOs at small and medium sized businesses that rely on third-party services (that’s pretty much all businesses these days) will benefit from the information contained in a vendor’s SOC report. SOC reports cover a lot of ground from a vendor’s encryption of data, to their change management process and all the way into who and how they hire.
In an upcoming post, I will discuss how to read a SOC report in order to maximize your valuable time and energy to get the most out of the reports.