Establishing system and organizational controls (SOC) is kind of like coaching a team to a championship game. Talent alone doesn't lead to a victory. If you really want to succeed, you need a rigorous and well-considered plan—a systematic approach. As you do that, you become stronger, more capable and more resilient. Similarly, you can have good intent around your cyber security practices, but without a structured approach you won't build the trust and credibility required by most users of your service.
Trust is paramount to successful day-to-day digital exchanges, as it is among teammates on their way to winning a championship. When everyone understands the plan and parameters and are all speaking the same language, efficiencies increase. From my perspective, the "no-look pass" exemplifies these elements in action. Look to any professional sport and it's there, but only when a player has complete faith in their teammates.
Like a sports team's practice routine, SOC reporting builds that faith. It demonstrates a certain level of dedication and rigor, enabling consistent reliability. It reinforces trust amongst an organization and its clients.
Companies are ultimately responsible for their control environment, and regulators are placing increased pressures on organizations to have a robust third-party risk management program. Further, the increase in cyber breaches and growing need to protect personal information are forcing organizations to take a hard look at their vendors' security and privacy practices.
A SOC report is a widely recognized indicator that a service organization has engaged a third-party independent CPA and has gone through an in-depth examination of its internal controls, which is typically shared with customers on an annual basis. It can address specific client requests, provide transparency, demonstrate that you follow leading practices, and obtain assurance on your client-facing systems and controls, all while improving maturity of your internal environment and processes.
On the court: Types of attestation reports
Levels of compliance differ to ensure service providers satisfy the attestation needs of their customers. Different types of SOC reports have been defined to address distinct user requirements:
- SOC 1 report (also known as CSAE 3416, SSAE 18, or ISAE 3402 – conducted in accordance with Canadian, US, or International standards, respectively) focuses on matters relevant to user entities' internal control over financial reporting.
- SOC 2 and SOC 3 reports (may also be issued under Canadian, US, and International standards) apply more broadly to operational controls covering security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
- SOC 2 and 3 can supplement a SOC 1 report by taking a "deeper dive" into key areas listed above.
A SOC report can be provided for attestation either at a point in time (Type I—not applicable to SOC 3) or over a period of time (Type II)—at least six months, or even an entire fiscal year. Type I includes a detailed description of the company's controls, while Type II adds a description of the auditor's tests of those controls. A SOC 3 does not include either a description of the controls or a description of the auditor's tests.
Thuy Nguyen, a senior manager on my Cyber Services team, has lived and breathed SOC for the past 15 years. She describes it this way: "A SOC 1 report provides assurance over controls relevant to financial reporting, which would be relied upon by a service organizations' customers and their customer's auditors. So, for example, if you manage financial statements on your clients' behalf, SOC 1 enables you to demonstrate not only your business process (including information technology) but also that you have controls in place that positively impact your client's internal control over their financial reporting."
If you're new to the control environment and want to see if you have deficiencies, SOC 1 will give you a good idea on what to remediate. This is a restricted-use report intended for an organization's management, their customers, and their customers' auditors.
Where the scope of a SOC 1 report is controls over financial reporting for user (client) organizations, the scope of a SOC 2 covers organizational controls, reviewing at least one of the following five core components: security, availability, processing integrity, confidentiality and privacy. This is because not all outsourced services are related to user financial reporting requirements. A SOC 2 is for services that relate to something other than client financial reporting. An investment management service or a payroll service likely feeds into the financial reports of user organizations and so a SOC 1 is relevant. A company that builds websites or provides other internet services are not doing financial reporting, and so a SOC 2 is relevant.
Similar to SOC 1, SOC 2 is a restricted-use report. Its intent is for organizational management, their customers, and their customer's auditors.
A SOC 3 report, while similar in scope to a SOC 2, is a less detailed report that can be shared more broadly with existing and potential customers. For example, a SOC 3 report could be posted on your public website. Many organizations who must share their SOC reports with a large number of customers typically issue both a SOC 2 and SOC 3 report.
Rather than the detailed description of the controls tested by the service auditor, the test procedures, and the results of those procedures found in a SOC 2 report, a SOC 3 report typically contains just a short auditor's opinion, a management assertion, and a system description.
Calling the play: Considerations for leadership
As a result of the SOC process, you may find you need to reallocate resources. This can include engaging more people, depending on the severity of likelihood of the risk occurring. Thuy points out that attaining SOC certification helps you update your change management manual. "Embrace the ongoing maintenance of controls and training," she advises.
As part of your provider's service, your auditors should be teaming up with you and acting as your advisor to provide good recommendations to help you improve your controls environment. Your provider should be able to clearly communicate the significance of the audit for your company and keep you proactively informed about any changes to the control requirements.
A good service auditor will also engage their clients effectively and help them understand the audit process before it begins, including the objective, scope, and approach of the engagement. They should be able to provide observations and recommendations for improving your organization's control environment. While recommendations consider relevant industry- and regulatory standards, as well as leading practices, they should be tailored to your business and right-sized to suit your needs.
Finally, consider the fact that your customers, executive members, and end-users will be reading your reports and looking for audit results. Only once SOC 1 and 2 are in place can you be confident in your demonstration of effective control environment at a service organization—and be well-positioned for a winning no-look pass.