Do you use a payroll service to process your company’s payroll? Do you rely on an application service provider to perform certain processes? Do you expect a bank or investment broker to keep your company’s financial information secure? Does your business rely on another company (service organization) to handle confidential client information (social security numbers, dates of birth, bank account information, pay rates, etc.)? If so, how do you know that they are taking the necessary steps/precautions to make sure that they are keeping that information safe?
There are various measures that companies can take in order to gain confidence that information is being stored securely, but one of the more popular methods is to review the service organization’s most recent Service Organization Control (SOC) report. A SOC report is the product of a SOC engagement performed by a service auditor (may be a CPA firm). The purpose of a SOC engagement is to assess controls related to services that may impact the Company’s internal control over financial reporting (SOC 1) or controls relevant to security, availability, processing, integrity, confidentiality, or privacy (SOC 2 and SOC 3). The following are key pieces of information which are likely to be important to any company assessing the security of its information.
Types of SOC reports
There are four different versions of standard SOC evaluations that a Company may have performed, a SOC 1, SOC 2, and SOC 3. SOC 1 engagements are used provide readers of the report information about controls at the service organization that are likely to be relevant to a user entity’s internal control over financial reporting. SOC 2 and SOC 3 engagements serve a similar purpose, except they focus on controls that relate specifically to security, availability, processing integrity, confidentiality, or privacy at the service organization.
It is important to note that for SOC 1 and SOC 2, there are two different types of assessments that can be performed. A Type 1 report concludes on whether management’s description of its controls is fairly represented as of a specific date in time. A Type 2 report concludes on the reasonableness of the description of the controls at the service organization over a period of time, the reasonableness of the description of the tests of controls, and the results of the testing of operating effectiveness performed by the auditor.
In response to the growing trend of companies storing and processing data electronically, the AICPA recently came out with guidance for SOC engagements for Cybersecurity. The primary difference between a standard SOC engagement and an engagement related to Cybersecurity is that a standard SOC engagement includes digital threats as well as threats arising from physical access to data. A SOC engagement for Cybersecurity is performed a service auditor which is engaged to assess a service provider’s risk management program through evaluation of the provider’s description of its system and by testing related controls.
Understanding the service organization
A SOC report can be an excellent information resource for users of the service organization. A SOC report will include the service organization’s description of its systems and internal controls (for example, controls related to software, infrastructure, human resources, data, and others). Additionally, SOC reports tend to include the service organization’s description of the processes and procedures utilized to assess risk, improve information and communication systems, and monitor the environment in which they operate (to identify additional controls that should be implemented and identify new risks.
Understanding the results of testing performed
For a service organization that has a Type 2 assessment performed, it is important for a user of the report to assess whether any exceptions identified would affect their organization. When an exception is identified by the service auditor, a user of the SOC report should consider whether or not the exception identifies a failure that is significant enough to create a risk that the service organization cannot sufficiently protect user data.