"SOC report questions are coming up in the official ISC2 CISSP and CCSP exams but the topic is not adequately explained in most preparation material, leading to a lot of confusion."
Why would you request a SOC report?
SOC (Service Organization Controls) reports are internal control reports based on a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA) which concern service organizations. What is a SOC report?BSI trainer and consultant, Tom Brett, who has been training in the area of information security for over 20 years, offers his expert insight into what exactly you need to know when it comes to questions around SOC reporting.
- Over the last few decades, more and more organizations are moving essential services to third party organizations, inciting an increase in cloud computing and similar services including computing, backups, data storage, bill processing, payroll services to name but a few
- These changes in practice of outsourcing exposes organizations to risk and increases the importance of effective vendor due diligence. In the past, organizations used questionnaires and contractual clauses, but these have proved insufficient for critical vendors, identifying the increased need for an independent audit and report – a Service Organization Controls report. This SOC report allows organizations to increase trust and transparency to internal and external stakeholders
History of SOC reporting
Statement on Auditing Standards number 70 (SAS70)
- 1992 - Service organizations were given the option of delivering a SAS70 report, this was geared towards service organizations to provide an opinion on the effectiveness of the controls they used.
- Over a number of years, the purpose of the SAS70 stayed the same but the organizations changed (infrastructure management, cloud computing, software as a service etc.)
Statement on Standards for Attestation Engagements Number 16 (SSAE16)
- 2011 - To address these changes SSAE 16 (Statement on Standards for Attestation Engagements Number 16) was issued, becoming effective in June 2011
Sarbanes-Oxley (SOX)
- 2008 - Public companies in the US fall under the ‘Public Company Accounting Reform and Investor Protection Act, more commonly known as ‘Sarbanes-Oxley or SOX which requires them to fulfill a number of standards, SSAE 16 reporting can help service organizations comply (section 404) in order to show effective internal controls covering financial reporting
Technology Services
- For reports which are not specifically focused on financial reporting, for example, technology companies like SAAS providers, the American Institute of Certified Public Accountants (AICPA) issued an interpretation under AT section 101 permitting service auditors to issue SOC 2 audit reports which focus on the controls relevant to the security, availability, processing integrity, confidentiality and privacy to provide assurance with the delivery of its services
SOC Report Standards
There are three different standards for SOC reports:
SOC1
SOC 1 also known as a SSAE No. 16 (Reporting on Controls at a Service Organization) is designed for financial transaction processing. It is used to validate controls covering the completeness and accuracy of financial transactions and financial statement reporting. The service organization specify their own control objectives and activities
Components of a SOC 1 report
- Auditors opinion
- Description of controls
- Controls
Subject matter
- Controls at a service organization relevant to user entities internal control over financial reporting
The audience of the report
- Auditors of the user entity’s financial statements, management of the user entities, and management of the service organization
SOC 2
SOC 2 (Attestation Engagements) is designed to examine and certify the vendor's controls within five “trust services principles” established by the AICPA (Security, processing integrity, availability and confidentiality/privacy of systems and data stored and processed). Service organizations are held to a standardised set of control criteria for each of the principles in the report. SOC 2 applies to all organizations that provide services that process and store customer data
Components of a SOC2 report
- Auditors Opinion
- Description of Controls
- Applicable Trust Services Principles and Controls
Subject matter
- Controls at a service organization relevant to the “trust services principles”: security, availability, processing integrity, confidentiality, or privacy
The audience of the report
- Available to management and others under NDA, this is not public information
SOC 3
SOC 3 is based on the same areas as a SOC 2 report (security, processing integrity, availability, and confidentiality/privacy), but it is intended for public distribution and omits the detailed test results. The vendor must go through a SOC 2 audit to enable them to get a SOC 3 report
Components of a SOC 3 report
- The report includes only the auditor’s opinion and limited description of controls
Subject matter
- Controls at a service organization relevant to the “trust services principles”: security, availability, processing integrity, confidentiality, or privacy
The audience of the report
- Anyone. This is commonly used as a marketing tool to the general public, it contains all of the information from a SOC 2 report but with less detail
Report Types
Each report can also be produced in two types as follows:
- Type 1 reports are based on the design (a snapshot of the organizations control landscape)
- Type 2 reports add a historical context, they validate the operating effectiveness of controls over time
Exam tips
For those who are preparing to sit a CISSP exam, you should know what each of the SOC reports are, the differences between each of the 3 types SOC 1, 2, and 3, and the different types and their audiences
Example Questions (TEST YOUR KNOWLEDGE and see answers at the end)
1. Which of the following SOC report types are based on a single point in time?
- Type 1
- Type 2
- Type 3
- Type 4
2. A service organization is providing Accounting services, which of the following types of reports would be best in order to provide trust and assurance in the quality of their services?
- SOC 1
- SOC 2
- SOC 3
- SOC 4
3. Which of the following reports would have the general public as its intended audience?
- SOC 1
- SOC 2
- SOC 3
- SOC 1 and SOC 2
4. Which of the following SOC reports would be produced for the management of a company that processes and stores customer data?
- SOC 1
- SOC 2
- SOC 3
- None of the above
5. An organization prepares to migrate their data to an IAAS provider, as part of their third-party due diligence, they want to understand the effectiveness of the provider's security, availability, and integrity controls, which SOC report would provide them with the most detail?
- SOC 1
- SOC 2
- SOC 3
- None of the above
Answers
1A, 2A, 3C, 4B, 5B
-
BSI’s expert trainers are recognized as experts in their field, offering a world-class learning experience that our delegates rate as first-class.
BSI provides both classroom and in-house training courses including CISSP and CCSP across the area of information security and data protection and privacy.
Visit our training webpage to find out more