A GUIDE ON SOC Reports: SOC 1, 2, 3 & SOC for Cybersecurity Explained

Article Summary

SOC 2 Trust Services Criteria were updated to align with the 2013 COSO Internal Control Framework and include enhanced focus on cybersecurity, governance, and risk management.
New description criteria require expanded disclosures, including principal service commitments, system requirements, and system incidents.
SOC Type 1 vs. Type 2 reports differ in scope: Type 1 evaluates controls at a point in time, while Type 2 assesses operating effectiveness over a period (often 12 months).
SOC 3 reports are general-use summaries of SOC 2 reports and can be shared publicly for marketing and transparency purposes.
SOC for Cybersecurity engagements provide broader assurance over an organization’s cybersecurity risk management program and are appropriate for general use.

SOC 2 Trust Service Criteria

Are you looking for information about the new changes to the SOC 2 standards? Few reports have been issued under the new guidance, and many companies are seeking clarification on how and when their control systems and descriptions will be affected.

Main changes

The new criteria align the previous trust service criteria with the Committee of Sponsoring Organizations of Treadway Commission (COSO) 2013 framework for Internal Control. The COSO framework is a widely used and robust model for internal controls with 17 principles grouped into five components including control environment, communication and information, risk assessment, monitoring, and control activities. The new criteria also address cybersecurity risk and criteria specific to availability, processing integrity, confidentiality, and privacy. In doing this, some language has been changed to avoid confusion – the Trust Service Principles and Criteria are now just Trust Service Criteria, as COSO already used the term principles to refer to elements of internal control.

There are also new description criteria. Management and service professionals have been evaluating descriptions of the subject matter for many of these elements previously, but now the criteria are clearly defined.

These changes are effective for reporting periods ending after December 15, 2018.

Organization of new trust service criteria

Each criteria has underlying points of focus to help management and service professionals evaluate the design of controls. For example, CC1.1 is the criteria “the entity demonstrates a commitment to integrity and ethical values.” The first point of focus for this criteria is:

“Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.”

Points of focus are meant to serve as guides and companies do not need a control for each point of focus as long as existing controls provide reasonable assurance that criteria are met. For a complete list of the new criteria and points of focus and mapping to the old criteria, see the AICPA online tool.

New description criteria

Management and service professionals have been implicitly applying description criteria for some time, but the new criteria clearly define requirements for management’s description of the subject matter. Management’s description now should include:

Types of services provided
Principal service commitments and system requirements
Components of the system used to provide the services, including:
- Infrastructure
- Software
- People
- Procedures
- Data
Description of system incidents
Applicable trust service criteria and applicable controls to provide reasonable assurance that service commitments and system requirements were achieved
Complimentary user entity controls
Complimentary subservice organization control

The most drastic change related to the management’s description is the requirement for principal service commitments, principal system requirements, and system incidents. These main additional disclosure requirements are defined as follows:

Principal Service Commitments – declarations made by service organization management to users entities about the system used to provide the service and the objectives of the system. Examples of such commitment statements maybe include:

The organization will provide a privacy notice to customers once every 6 months or when there is a change in the organization’s business policies.
The organization will respond to access requests within 10 working days of receiving the request from its customers.

Principal System requirements – specifications about how the system should function to meet the service organization’s commitments to customers, relevant laws and regulations, and guidelines of industry groups, such as business or trade associations. Examples of such system requirement statements maybe include:

Business processing rules and standards established by regulators, for example, security requirements under the Health Insurance Portability and Accountability Act (HIPAA)
Workforce member fingerprinting and background checks established in government banking regulations

System incidents – description regarding the nature, timing, and extent of any incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the achievement of one or more of those service commitments and system requirements, as of the date of the description or during the period of time covered by the description.

Impact on You

New controls may need to be added to address previously unmitigated risks. For example the new criteria add controls related to governance, risk management, and 3^rd party management. A mapping of the old 2016 Trust Service Principles and Criteria to the new 2017 Trust Service Criteria is available through the AICPA to aid in this process.

Management may need to modify the description of the subject matter or system to comply with enhanced description criteria.

What Period Should My Type 2 SOC Report Cover?

A SOC Type 1 report is a report which provides an opinion on whether or not controls are implemented as of a certain day but does not provide an opinion on the operating effectiveness of those controls. Many users entities (i.e. subservice organization’s customers and their auditors) request that service organizations provide a SOC Type 2 report to provide comfort that controls are operating effectively throughout a period of time. In practice, most user auditors and user entities will need such evidence in order to truly rely on the SOC report to minimize or eliminate their testing of controls in place at the service organization. Most Type 2 reports cover a 12-month period, however, there is currently no required minimum period length which the report must cover. So how does a service organization decide what period of time the SOC Type 2 report should cover to address a wide variety of user entities’ needs? There are mainly two factors to consider:

User Entities’ Reporting Periods
Service Organization Resources

Consideration 1: User Entities’ Reporting Periods

The first determining factor when determining the appropriate period for a Type 2 report is to consider the user entities’ reporting periods.

This excerpt from the AICPA SOC 1 Audit Guide provides some guidance for consideration.

2.15 The user auditor should evaluate whether the period covered by a given type 2 report is appropriate for the user auditor’s purposes. To provide evidence in support of the user auditor’s risk assessment, the period covered by the type 2 report would need to overlap a substantial portion of the period covered by the user entity’s financial statements being audited.

As noted in the excerpt above, a user auditor will consider the SOC 2 Type 2 report most beneficial if it overlaps a substantial portion of the period covered by the user entity’s financial statements being audited. A general rule of thumb in the industry to define “substantial” is that the report overlaps at least six months of the user entity’s financial statement period.

The AICPA SOC 1 Audit Guide further clarifies this with the following examples:

2.17 The service organization may consider the following examples when determining an appropriate test period for a type 2 report.

Example 1. The majority of user entities have calendar year-ends. The service organization may want to provide a type 2 report for the period January 1, 20X0, to December 31, 20X0, to maximize the usefulness of the report to user entities and their auditors.

Example 2. User entities have year-ends that span all months of the year. The service organization determines that issuing a report each quarter (or more often than annually) with tests of operating effectiveness that cover twelve months is most likely to maximize the usefulness of the report to user entities and their auditors.

As these examples illustrate, a primary driving force for the determination of a Company’s SOC Type 2 report period is determined by the user entities’ reporting year-ends. The general rule of thumb is that the report period should cover at least six months of the user entities’ financial statement period, with its renewal on an annual basis. As illustrated in Example 2 above, some service organizations may require more frequent reporting to satisfy a wide variety of user entity year-ends. This is common for service organizations such as payroll or cloud computing companies.

Consideration 2: Service Organization Resources

Another factor to consider is the level of resources that may be available to respond to SOC examination requests. An organization may not want to have an examination taking place concurrently with other large organizational initiatives. When this overlap is present, one option to consider is to shift the exam period slightly to a period when resources are available to oversee the SOC exam while still accommodating the need for the report to cover a substantial portion of the period covered by the user entity’s financial statements being audited. For example, if the majority of a service organization’s user entities have calendar year-ends but the service organization is not be able to get the report completed in Q4 due to personnel constraints (e.g. open enrollment for insurance carriers), then an acceptable alternative timing may be from October 1, 20X9 to September 30, 20X0. in order to provide comfort to user entities or their auditors for the last 3 months of the calendar year not covered by the SOC Type 2 report, a service organization may issue a bridge letter (also known as a gap letter) which states that there have been no significant changes to the controls or control environment for the last 3 months of the calendar year.

Benefits of a SOC 3 Audit

What is a SOC 3 Report?

You can think of a SOC 3 report as the whitepaper version of a SOC 2 report. According to the AICPA, the authoritative body on SOC testing and reporting, “[SOC 3] reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report.” (https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement)

The formatting starts in a similar manner (Cover page, Independent Service Auditor’s/Accountant’s Report) except that in lieu of the System Description and Results of Testing etc., the SOC 3 report will present the Boundaries of the System Description and Principal Service Commitments and System Requirements, respectively. Since the detailed system description and matrix of controls / results of testing of the controls is removed, the report may be shared with any interested users.

Benefits of SOC 3 Reporting

Marketing:
- General use reports can be posted to a company’s website for potential customers to see during their initial research of a service organization
- Reports can help to differentiate a service organization from competition that is not SOC compliant
Economical:
- Generally, only an incremental fee if coupled with a SOC 2 engagement
- Reports are easier to share than SOC 2 reports and require less employee time
Other:
- Reporting is simpler to understand and may require less technical background
- Summary level information is less tedious to report users

A Word of Caution

Owing to the pervasive availability of the SOC 3 report, it is important to remove any potentially comprising information about your company’s network infrastructure or preferred applications from the report so as not create opportunities to exploit any vulnerabilities in your network.

Have you considered getting a System and Organization Controls Report (SOC) over your Cybersecurity Controls?

In May of 2017, AICPA issued a new framework to its suite of System and Organization Controls Reports (SOC) to allow organizations to obtain an audit over an organization’s Cybersecurity Risk Management Program and Controls. This framework is designed to be flexible and customizable to organizations of different sizes, and borrows much of its framework from the criteria related to the security, availability, and confidentiality categories contained in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy that are utilized for a SOC 2 Examination. Below is a summary that compares the differences between a SOC 2 and a SOC for Cybersecurity Engagement as illustrated in Appendix B of AICPA’s “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls” Audit Guide published in April 2017.

	SOC for Cybersecurity	SOC 2
What is the purpose?	To provide intended users with useful information about an entity’s cybersecurity risk management program for making informed decisions	To provide a broad range of system users with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support users’ evaluations of their own systems of internal control
Who are the intended users?	Management, directors, analysts, investors, and others whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program	Management of the service organization and other specified parties with sufficient knowledge and understanding of the service organization and its system
Under what professional standards and implementation guidance is the engagement performed?	AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements, in AICPA Professional Standards	AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements,⁴ in AICPA Professional Standards
Who is the responsible party?	Management of an entity	Management of a service organization
Is the report appropriate for general use or restricted to specified parties?	Appropriate for general use	Restricted to user entity personnel and specified parties, such as independent auditors and practitioners of user entities, prospective user entities, and regulators, who have sufficient knowledge and understanding of the following matters: • The nature of the service provided by the service organization • How the service organization’s system interacts with user entities and other parties • Internal control and its limitations • The nature of user entity responsibilities and their role in the user entities’ internal control as it relates to service organizations • The nature of subservice organizations and how their services to a service organization may affect user entities • The applicable trust services criteria • The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks
What is the subject matter of management’s assertion and the engagement?	The description of the entity’s cybersecurity risk management program based on the description criteria	The description of the service organization’s system as it relates to one or more of the categories in the trust services criteria
What are the criteria for the engagement?	The description criteria included in appendix C, “ Description Criteria for Use in the Cybersecurity Risk Management Examination,” of the Audit Guide, which includes the following criteria: 1. Nature of business and operations 2. Nature of information at risk 3. Cybersecurity risk management program objectives 4. Factors that have a significant effect on inherent cybersecurity risks 5. Cybersecurity risk governance structure 6. Cybersecurity risk assessment process 7. Cybersecurity communications and the quality of cybersecurity information 8. Monitoring of the Cybersecurity risk management program 9. Cybersecurity control processes	Paragraphs 1.26—1.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) contain the criteria for the description of the service organization’s system, which includes the following criteria: Types of services provided Principal service commitments and system requirements Components of the system used to provide the services, including: Infrastructure Software People Procedures Data Description of system incidents Applicable trust service criteria and applicable controls to provide reasonable assurance that service commitments and system requirements were achieved Complimentary user entity controls Complimentary subservice organization control Any specific criterion of the applicable trust services that is not relevant to the system and the reasons it is not relevant Significant changes to the service organization’s system and controls during the period.
What are the contents of the report?	A description of the entity’s cybersecurity risk management program A written assertion by management about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria A practitioner’s report that contains an opinion about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) the controls within that program were effective in achieving the entity’s cybersecurity objectives based on the control criteria	A description of the service organization’s system A written assertion by management of the service organization regarding the description of the service organization’s system and the suitability of the design and the operating effectiveness of the controls in meeting the applicable trust services criteria A service auditor’s¹⁰ report that contains an opinion on the fairness of the presentation of the description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to meet the criteria In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests
What are the different types of SOC reports?	Design only – similar to a Type 1 for SOC 2 report. Design and Operating effectiveness – similar to a Type 2 SOC 2 report.	Type 1 – testing of controls at a point in time. Type 2 – testing of controls for a period of time.
What is the treatment of subservice organizations (SSO)?	No carve-out of subservice organizations allowed. Controls of the third parties must be included within the scope of its evaluations.	Can choose to include or carve-out subservice organizations.

SOC for Cybersecurity could be a great tool for any organization to communicate relevant and useful information regarding the effectiveness of its cybersecurity risk management program.

For more information about these topics, contact the Larson & Company SOC Team.

Frequently Asked Questions About SOC Reports

What changed in the SOC 2 Trust Services Criteria?
The updated criteria align with the 2013 COSO Internal Control Framework and include enhanced governance, risk management, third-party oversight, and clearer description requirements such as principal service commitments and system incidents.

What is the difference between a SOC 2 Type 1 and Type 2 report?
A Type 1 report evaluates whether controls are suitably designed at a specific point in time. A Type 2 report evaluates both design and operating effectiveness of controls over a defined period, often 12 months.

How long should a SOC 2 Type 2 report cover?
While there is no required minimum period, most Type 2 reports cover 12 months and should overlap at least six months of user entities’ financial reporting periods to maximize usefulness.

What is the purpose of a SOC 3 report?
A SOC 3 report provides a high-level, general-use summary of a SOC 2 examination. It excludes detailed testing results and can be publicly shared for marketing and customer assurance purposes.

What is a SOC for Cybersecurity engagement?
SOC for Cybersecurity is an AICPA framework that evaluates an organization’s cybersecurity risk management program and controls. Unlike SOC 2, it is designed for general use and broader stakeholders such as investors and directors.