What is a SOC?
The difference between SOC 1, 2 and 3 is quite important assuming that you know what SOC is. Most people will have heard of a SOC audit report, but for those who do not understand what SOC stands for, let us start from the beginning. SOC is the acronym for System and Organisation Controls framework launched by the American Institute of Certified Public Accountants (AICPA). As you may expect SOC’s roots are in financial control with an emphasis on “internal controls over financial reporting”.
Those clever people over at the AICPA were quick to realise that if you don’t have a robust information security framework in place to protect the company’s assets your financial controls may be the least of your worries. So SOC was expanded to include information security.
SOC reports
Before discussing the differences between audit reports, I should point out that all 3 reports are very specific documents that can only be produced by qualified practitioners (which means licensed and registered Certified Public Accountants). There are published standards to be used by qualified practitioners when conducting a SOC engagement.
There are two types of reports for SOC 1 and SOC 2 audits.
- Type I report: provides a description of your company, the internal control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time the report was issued
- Type II report: includes the design and testing of controls to report on the operational effectiveness of controls over a period of time (typically 12 months). This makes it extremely useful to potential clients or partners who might want to see that the controls are in place and working.
What are SOC 1 and SOC 2 then?
SOC 1 covers the Internal Controls over Financial Reporting (ICFR). This type of report is meant for external financial statements, auditors of the organisation’s financial statements. It is designed to provide external parties, such as partners and clients assurance that a company’s internal controls over financial reporting is appropriate and operating effectively.
SOC 2 is different. The purpose of the SOC 2 audit is to evaluate an organisation’s information systems controls relevant to:
- Security
- Availability
- Integrity
- Confidentiality
In broad terms we can summarise SOC 1 as a financial and SOC 2 as information security.
So where does a SOC 3 report fit in?
The problems with both types of reports of a SOC 1 or SOC 2 audit is that they are rather detailed. A SOC 2 audit report describes the control framework a company has put in place and a Type II report will describe its effectiveness during the reporting period.
Type II reports, if made public, could be very interesting to any potential bad actors who want to do some groundwork before attempting to gain access to the company’s systems. It describes what controls are being used and how effective they are. This is not the type of information you would normally make public.
The SOC 3 Report
The SOC 3 audit report is the publicly available report you can sometimes find published on websites or in marketing material. There is limited information in a SOC 3 report. It does not contain a description of the auditor’s test of the controls or the results for example.
To wrap the SOC differences
If you were not aware of the SOC distinctions before reading this blog post then you should now have it “SOC’d-IT-TO-YOU” and understand that:
- a SOC 1 audit report is reporting on the financial reporting controls
- a SOC 2 audit report is reporting on the information security controls
- a SOC 3 audit report is the stamp of approval to say everything’s good
But don’t forget a Type I audit report is a description of the control environment but not an indication that it is actually working. A Type II audit report indicates how the control environment is working over a period of time.