Article
SOC FAQ
May 09, 2023 · Authored by Andrew Wittig, Patrick Hottel
As organizations face intensified scrutiny over their internal controls, risk management practices must evolve to provide an increased degree of assurance. The American Institute of CPAs (AICPA) developed System and Organization Controls (SOC) reporting as a valuable tool for organizations to demonstrate to their customers and other key stakeholders that their controls are working.
Explore the FAQs below, or connect with a SOC professional to tell us more about your reporting needs.
The basics
SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity and SOC for Supply Chain.
A Type 1 SOC report addresses the design of controls as of a point in time. A Type 2 SOC report addresses the operating effectiveness of controls over a period of time. Type 1 reports provide less comfort to the intended audience of the report and are uncommon.
Note: The Type 1 or Type 2 concept is applicable to all of the SOC reports (i.e., SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, SOC for Supply Chain)
The SOC 2 and SOC 3 both address the Trust Services Criteria. The SOC 2 is a detailed report intended for limited distribution (such as your customers and their auditors). A SOC 3 contains less detail and is generally intended for general distribution.
SOC 1 Type 2 and SOC 2 Type 2 are the two most common reports.
The need for a SOC report is primarily driven by demand from your customers. However, in some industries they may be required by regulation or compliance requirements.
The players
A subservice organization is a service organization providing services to the service organization. If you outsource a particular function (such as data center hosting or managed services), the company you outsource that function to would typically be considered a subservice organization, if those services are within the scope of your examination.
CSOCs are the controls that must be implemented at the subservice organization(s) in order for the entire process to work.
- Service organization – The organization under examination
- Service auditor – The organization performing the examination
- User organization – Customers who receive your SOC report
- User auditors – Customers’ auditors who may ask to see the SOC report
CUECs are controls that are the responsibility of the user organizations themselves. They must be implemented in order for the entire process to work.
The audience
User organizations’ financial executives, compliance officers and financial statement auditors are the typical audience for a SOC 1 report.
User organizations’ information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners are the typical audience for a SOC 2 report.
The purpose
A SOC 1 Report reports on the controls of the service organization that are relevant to the user organization's internal controls over financial reporting.
SOC 2 and SOC 3 reports are typically used to provide organizations comfort around the information security controls at their vendors. The reports are based on the selected trust services criteria (TSC), which at a minimum typically include security and also may include availability, confidentiality, processing integrity and privacy. “SOC 2+” reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others.
The timeline
The time frame can vary, but typically it takes 9-14 months from the time an organization starts the readiness assessment process and goes through an audit period until a SOC report is ready to be provided to customers.
Learn more about the SOC examination time frame.
In that scenario, we may recommend a Type 1 examination, so that you don’t need to wait for the examination period to pass. However, the user entity would need to understand that a Type 1 examination isn’t typically recurring and it still typically takes three to six months from the time an organization starts the readiness assessment process until a SOC report is ready to provide to customers.
For a SOC 1 Type 2, the minimum reporting period is typically 6 months. For a SOC 2 Type 2, the minimum reporting period is typically three months. Recurring reports typically are 12 months long for both the SOC 1 Type 2 and SOC 2 Type 2.
SOC is not a certification. It is an audit opinion. The opinion covers controls as of a point in time (Type 1) or over a specified period of time (Type 2), but it is always regarding a time in the past.
© 2024 Baker Tilly US, LLP