What is a SOC report?
Business software has become ubiquitous. The average mid-sized company works with more than 10 technology vendors, and some larger corporations can deal with hundreds.
But with hacks and data breaches on the rise, it’s increasingly important for your organization to earn customers’ trust.
Without a longstanding relationship, it’s difficult to know if a third-party provider can be relied on to secure your critical data.
That’s where Service Organization Control (SOC) comes in. A SOC report is like a letter grade in the restaurant window. At a glance, it proves you pay attention to crucial details.
But what is a SOC report, and how do you get one? This article has the comprehensive introduction you need.
What is a SOC report used for?
A SOC report is generated by an independent audit of a company’s information security systems. It’s a comprehensive review of what the company does to secure the information it works with.
A company might request a SOC report because a prospective client has asked for one as a condition for working together. This is a common practice, similar to asking for references before hiring an employee.
Alternatively, a business might decide to pursue SOC compliance before anybody asks for it. This can help to attract clients by demonstrating that the company can be trusted. The term “audit” often implies that the subject is suspected of wrongdoing, but with SOC, that couldn’t be further from the truth.
SOC is specifically designed to test the security of information systems. Therefore, companies that seek a SOC examination tend to be in the business of handling large amounts of information on behalf of other companies. Examples include (but are not limited to) accountants, money managers, staffing firms, marketing agencies, third-party software developers, and anybody who provides cloud storage.
At Secureframe, we regularly seek SOC 2 compliance to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base.
SOC stands for Service Organization Control. The American Institute of Certified Public Accountants (AICPA) oversees the process. Only a CPA or an organization accredited by the AICPA can conduct a SOC audit.
Preparatory materials often group controls into subjective versions of SOC 2 targeted at various goals. An example of this would be SOC for Cybersecurity, SOC for Supply Chain, and so on.
Beyond these divisions, each SOC report is personalized to the specific company under audit. Auditors must evaluate a few common criteria related to security, but they’re otherwise free to evaluate any of a long suggested internal control list. Ultimately, no two SOC reports will look exactly alike.
What is the difference between SOC and ISO 27001?
Given that they’re both standards for auditing information security protocols, SOC and ISO 27001 are often confused. If you’ve ever mixed them up, you’re not alone: ISO and SOC share almost all the same controls, varying by as little as 4%.
But they’re not identical. There are two key differences between SOC and ISO 27001:
- Type of security. SOC is a freeform set of standards that measure what your company is doing to protect client information. ISO 27001 has the same goal but a more restricted way of achieving it. To achieve ISO 27001 compliance, businesses must build and document an information security management system (ISMS). That’s a slightly more stringent standard.
- Geographic area. SOC audits are better-known in North America and thus carry more weight. ISO 27001 is more popular outside of North America. This is almost always the deciding factor.
What are the contents of a SOC report?
The AICPA provides an illustrated example of a SOC report on its website. It runs 31 pages, a fairly typical length.
A quick review of the contents reveals the following:
- Opinion letter: A summary of the auditor’s opinion, illustrating whether they think the target company passes inspection.
- An “unqualified opinion” is a pass with flying colors.
- A “qualified opinion” means the company is almost compliant, but one or more areas aren’t there yet.
- An “adverse opinion” is a failure. The company falls short in one or more non-negotiable areas.
- A “disclaimer of opinion” means the auditor doesn’t have enough evidence to support any of the first three options.
- Management assertion: Summarizes what the managers of the company under audit told the auditor about their information security controls.
- Description of systems: Explains what the company does and how they describe their own infrastructure.
- Applicable trust services criteria: Lists each internal control the company believed was applicable to their own services, alongside the results of tests on those controls.
- Other information: Information provided by the company that the auditor determined not to be relevant.
Now that you have a better idea of what SOC reporting looks like, let’s explore the four different shapes SOC comes in.
What are the different types of SOC reports?
Each type of SOC report has a slightly different set of use cases.
As you’ll read in the next section, SOC 1 and SOC 2 are subdivided into Type I and Type II. Both I and II refer to how the audit is conducted, while 1, 2, and 3 refer to the subject matter of the SOC report.
A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.
To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report.
Examples include accountants, payroll processors, or tax preparation assistants.
Since CPAs manage SOC, and financial information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.
A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.
SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data (known as trust services for short).
Instead of a pre-determined list of controls like those that make up most ISO criteria, SOC 2 is based on the “trust services criteria'' (TSC). This groups suggested controls under five categories:
- Processing integrity
The controls grouped under Security, known as the “common criteria,” are the only ones required to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk assessment processes, and how they implement and monitor controls.
All the others are optional, though any reputable auditor will check on more than the bare minimum.
A company that gets a SOC 2 audit usually provides some sort of B2B service, but it’s not uncommon for a B2C company to seek a compliance audit as well. However, since a SOC report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3 report instead.
A SOC 3 report is similar to a SOC 2, except it’s shorter. It’s a more digestible product that can be used for marketing or made available to customers for free. SOC 3 reports are an easy way to build trust among large groups of individuals.
What is a SOC audit?
A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, your first step is to decide exactly what sort of SOC report you need.
First, choose from among the three SOC categories in the previous section. They’re not mutually exclusive. In fact, some companies might seek all three.
Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public.
Say your company is a small startup that provides cloud services to larger businesses. Obviously, you would choose SOC 2.
Next, you’ll need to choose a type. You have two options:
- SOC 2 Type I: An audit that checks whether your systems are designed according to the trust services criteria. Type I audits are relatively cheap and easy (they can easily be done in under a month) but they provide less complete information. Think of a kid who cleans his room an hour before he knows his parents will inspect it. The room may be clean, but there’s no evidence that best practices are being consistently followed.
- SOC 2 Type II: An audit that examines how your systems are designed AND whether they work in practice. A Type II report takes longer (up to a year) because the auditor needs to run experiments on your information systems. However, once you pass, there’s no doubt whatsoever that you comply.
Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type I audit and then use that report to undergo Type II.
Next, conduct a readiness assessment. This is like studying for the test — it ensures the auditor doesn’t catch you unprepared.
To do a readiness assessment, you have to get familiar with the trust services criteria.
Be able to answer questions like:
- “How is my system protected against attacks?” (Security)
- “How do we decide when to make data from the system available?” (Availability)
- “Does the system work the way it needs to?” (Processing integrity)
- “How do we ensure the system keeps private information safe?” (Privacy)
- “When information must be shared, what keeps the exchange secure?” (Confidentiality)
Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.
Document everything heavily. You should be able to look at a complete list of the TSC and immediately produce a document explaining how your information security meets each criterion.
Finally, decide who you want to serve as your auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry.
The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion, congratulations! If not, use the SOC report as an instruction manual for closing gaps and try again.
A SOC report is a stand-in for a trust relationship built over time. It takes a lot of work, but every other trust-building method takes more.
There’s really only one foolproof way to get a SOC report hassle-free. You have to work with a company that knows what they’re doing.
You’ve already seen that Secureframe is SOC 2 compliant. Our automations help businesses manage the complex compliance process with minimum friction. If you’re thinking about seeking a SOC report, get in touch with us today.