It’s hard for me to believe, but I originally got started with SOC examinations around 2004 when it was referred to as a SAS 70 (Statement on Auditing Standards No. 70). I was an internal auditor for a financial services company back then tasked with managing the individual SAS 70’s of various business units, of which there were upwards of 20 per year, and also managing the relationship with the audit firm performing the audits.
At the time, service organizations used the SAS 70 as an all-encompassing internal controls audit of operations and technology/security. It didn’t matter what type of company was providing the services, be it a payroll processing company or data center services provider, or who the prospective reader of the report was going to be, the SAS 70 report was used to fit the bill.
The industry realized there was a need to create separate report types to meet the unique requirements of service organization and their customers. This brought about the SOC 1, SOC 2, and SOC 3 examinations and reports.
The System and Organization Controls (SOC) examination was designed to help service organizations that provide services to other entities (clients/customers) build trust in the services being performed by assessing the controls over the services provided. A service organization could be a payroll processing company, credit card processing company, or just about any X as a service company (e.g., SaaS).
The independent service auditor SOC examination report provides assurance to the service organization’s clients on the suitability of design and operating effectiveness of the controls in place at the service organization to achieve the related control objectives. The independent service auditor is what many would refer to as a CPA firm.
Included below is a brief breakdown of the 3 SOC reports:
SOC 1
This examination and report most closely aligns with the former SAS 70, so much so that it’s still somewhat common to see references to SAS 70 in contracts between service organizations and their customers. This report is prepared in accordance with AT-C Section 320, “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting”.
These reports are typically triggered by clients interested in the financial statement impact of the service provided by the service organization. With that said, the examinations will still include control objective and controls covering both operations and technology / security, similar to its predecessor, SAS 70.
SOC 2
This examination and report was created to meet the needs of modern IT and cloud services providers, focusing on the 5 trust services principles. The trust services principles include security, availability, processing integrity, confidentiality, and/or privacy. I’ll get into more detail regarding the trust services principles in a future post.
These reports are typically triggered by clients interested in the protection of data. Distribution of these reports tends to be more restrictive.
SOC 3
This report is based on the SOC 2 report, but is meant as a general use report that can be distributed more freely. The report includes a less detailed description of the system and does not include tests of controls and results. I like to refer to it as an executive summary of the SOC 2 report.
Zalovo GRC 