What does a SOC Report Cover?

By PKF Team Blog October 29, 2020

SOC 1

A SOC 1 examination focuses on controls relevant to an audit of a service organization’s systems that has an impact/influence on its customers’ financial statements. In cooperation with the service auditor, the service organization defines key control objectives for services provided to their customers. Readers of SOC 1 reports could be financial executives at a user organization, compliance officers, and financial auditors of the service organization.

SOC 2

A SOC 2 report focuses on the needs of a broad range of users who need information and assurance about controls at a service organization. As outlined by AICPA’s Trusted Services Criteria (TSC), SOC 2 reports are based on 5 criteria:

As part of the SOC 2 examination, the Security aspect is the only required criteria. A service organization can choose to be examined on Security alone or Security and a combination of other criteria. The readers of SOC 2 reports can also be an organization’s financial executives, compliance officers, and financial statement auditors, but can also include an organization’s information technology executives, business partners, regulators, or other stakeholders.

SOC 3

SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results, and it is intended for public distribution. A service organization can use SOC 3 reports as a marketing tool to promote their services to prospective customers.

Since SOC 1 and SOC 2 reports may contain sensitive information about service organizations, they are considered restricted-use reports. These reports should only be shared with the management of the service organization, customers of the service organization, and the user entities’ financial auditors.

What is the difference between a Type I and a Type II?

A type I Audit Report is a point time report

Type I examinations cover the design of a service organization’s controls, but not the operating effectiveness.
Type I reports are issued to organizations that have controls in place but have not yet audited them.
A readiness assessment can be performed even before the Type I SOC Report for your service organization to understand their existing controls and recommendations that should be implemented prior to the full Type I SOC assessment.

A Type II Audit Report covers a period, typically 12 months (e.g., January 1, 2019 – December 31, 2019).

Type II audit covers the design and operating effectiveness of the internal controls over a defined period.
A Type II SOC engagement provides reasonable assurance that the controls operated effectively to meet the service organization’s control objectives over the service commitments and system requirements during the period under review.
AICPA guidance recommends that a reporting period cover a minimum of six months. The guidance also indicates that a Type II report which covers a period of fewer than six months is unlikely to be useful to user entities and their auditors.

SOC Report Structure

SOC report contains 4 sections – Opinion Letter, Management Assertion, Description of the System, Test of Controls, and Results of Testing.

The Opinion Letter

The opinion letter contains the scope of the report, test period (Type II), or point in time report (Type I), and audit opinion.

Although a qualified report opinion is not ideal, many service organizations issue a qualified report at some point in time, especially in their first year of issuing a SOC report.

Management assertion

Management assertion includes statements made by the management of service organization such as:

– An assertion that the description of the system fairly presents the system.

– The control objectives were suitably designed (Type I) or suitably designed and operating effectively (Type II).

– Discussion of the criteria used to make the assertion.

Description of the System

A System Description is a way in which management describes to its users the system that supports the delivery of products, solutions, or services to its customers.

Tests of Controls and Results of Testing

In this section, a SOC auditor describes the controls that were tested as part of the examination, test procedures used for testing, and the results of testing.

Our team of IT audit professionals has broad experience in completing SOC attestation engagements for service organizations worldwide. If you need further information or assistance on SOC engagements, please contact us: info@pkfantares.com