Article Summary
- SOC reports provide assurance that a service organization’s internal controls are designed and operating effectively.
- SOC 1 focuses on financial reporting controls, while SOC 2 addresses security, availability, processing integrity, confidentiality, and privacy.
- SOC examinations can be Type I (design of controls at a point in time) or Type II (design and operating effectiveness over a period).
- SOC compliance strengthens risk management, data protection, and stakeholder confidence, especially for service organizations handling sensitive data.
- The SOC audit process involves control documentation, testing, remediation, and independent CPA examination.
What is a SOC?
Service Organization Controls Report (SOC) is an audit report issued by an independent auditor about the design and implementation of internal controls, and potentially the operating effectiveness of internal controls for a specified period of time. These reports are used to enhance a trusting relationship between business parties.
In our business world today, businesses are becoming more and more interdependent on each other. For example, auto makers rely heavily on car dealerships to sell their cars, and insurance companies rely heavily on insurance agents or administrators to manage insurance policies. A third party organization that provides services for another entity is called a service organization. An entity that uses a service organization is called a user entity. Lack of a trusting, effective and efficient relationship between the service organization and a user entity is detrimental to an organization of any size. One such incident occurred in 2008 to Heartland Payment Systems, a credit card processing company, in which an estimated 130 million customer accounts were compromised: all of Heartland’s partners were affected because of its breach.
As a result of these interdependencies, the American Institute of Certified Public Accountants (AICPA) has put forth a comprehensive framework, Service Organization Control (SOC) Reports, which helps built trust between service organizations and user entities. These reports are known as SOC 1, SOC 2, and SOC 3 Reports. The SOC Framework was established to help clarify and bring needed transparency in regards to reporting on controls at service organizations. These reports have been widely used to help service organizations retain current customers and attract potential customers.
There are five components to a typical SOC report. They include the following:
| Management Assertion |
Letter issued and signed by Service Organization’s management stating their assertions regarding the descriptions of the systems included in the report.
|
| Independent Auditor’s Opinion | Letter issued and signed by independent auditor regarding the design, narrative, and, if a Type II report, the operating effectiveness of the controls.
|
| Management’s Description of the System | Narrative written by Service Organization’s management regarding the system.
|
| Results of Testing (Only applicable to Type II report) | Table that describes the objective/criteria, the related controls that address the objective/criteria, testing performed by auditor, and the results of testing performed.
|
| Other Information (Not required) | Narratives or tables prepared by Service Organization on information not included in the report or opined on by the auditor (i.e. future plans, other services provided, qualitative information)
|
What Period Should My Type 2 SOC Report Cover?
A SOC Type 1 report is a report which provides an opinion on whether or not controls are implemented as of a certain day but does not provide an opinion on the operating effectiveness of those controls. Many users entities (i.e. subservice organization’s customers and their auditors) request that service organizations provide a SOC Type 2 report to provide comfort that controls are operating effectively throughout a period of time. In practice, most user auditors and user entities will need such evidence in order to truly rely on the SOC report to minimize or eliminate their testing of controls in place at the service organization. Most Type 2 reports cover a 12-month period, however, there is currently no required minimum period length which the report must cover. So how does a service organization decide what period of time the SOC Type 2 report should cover to address a wide variety of user entities’ needs? There are mainly two factors to consider:
- User Entities’ Reporting Periods
- Service Organization Resources
Consideration 1: User Entities’ Reporting Periods
The first determining factor when determining the appropriate period for a Type 2 report is to consider the user entities’ reporting periods.
This excerpt from the AICPA SOC 1 Audit Guide provides some guidance for consideration.
2.15 The user auditor should evaluate whether the period covered by a given type 2 report is appropriate for the user auditor’s purposes. To provide evidence in support of the user auditor’s risk assessment, the period covered by the type 2 report would need to overlap a substantial portion of the period covered by the user entity’s financial statements being audited.
As noted in the excerpt above, a user auditor will consider the SOC 2 Type 2 report most beneficial if it overlaps a substantial portion of the period covered by the user entity’s financial statements being audited. A general rule of thumb in the industry to define “substantial” is that the report overlaps at least six months of the user entity’s financial statement period.
The AICPA SOC 1 Audit Guide further clarifies this with the following examples:
2.17 The service organization may consider the following examples when determining an appropriate test period for a type 2 report.
Example 1. The majority of user entities have calendar year-ends. The service organization may want to provide a type 2 report for the period January 1, 20X0, to December 31, 20X0, to maximize the usefulness of the report to user entities and their auditors.
Example 2. User entities have year-ends that span all months of the year. The service organization determines that issuing a report each quarter (or more often than annually) with tests of operating effectiveness that cover twelve months is most likely to maximize the usefulness of the report to user entities and their auditors.
As these examples illustrate, a primary driving force for the determination of a Company’s SOC Type 2 report period is determined by the user entities’ reporting year-ends. The general rule of thumb is that the report period should cover at least six months of the user entities’ financial statement period, with its renewal on an annual basis. As illustrated in Example 2 above, some service organizations may require more frequent reporting to satisfy a wide variety of user entity year-ends. This is common for service organizations such as payroll or cloud computing companies.
Consideration 2: Service Organization Resources
Another factor to consider is the level of resources that may be available to respond to SOC examination requests. An organization may not want to have an examination taking place concurrently with other large organizational initiatives. When this overlap is present, one option to consider is to shift the exam period slightly to a period when resources are available to oversee the SOC exam while still accommodating the need for the report to cover a substantial portion of the period covered by the user entity’s financial statements being audited. For example, if the majority of a service organization’s user entities have calendar year-ends but the service organization is not be able to get the report completed in Q4 due to personnel constraints (e.g. open enrollment for insurance carriers), then an acceptable alternative timing may be from October 1, 20X9 to September 30, 20X0. in order to provide comfort to user entities or their auditors for the last 3 months of the calendar year not covered by the SOC Type 2 report, a service organization may issue a bridge letter (also known as a gap letter) which states that there have been no significant changes to the controls or control environment for the last 3 months of the calendar year.
What is a SOC Bridge Letter or Gap Letter?
A SOC bridge letter, also known as a gap letter, is a document used to bridge the gap between the end date of a service organization's SOC (System and Organization Controls) report and the user entity's (customer’s) year-end. This letter asserts to clients that there have been no significant changes to the internal controls since the last SOC report. Producing this letter also avoids obtaining a new SOC audit for each variation of periods to match user entities’ needs. A bridge letter is prepared by management of the service organization and does not need or have any assurance provided by the independent service auditor.
Use Case
SOC reports typically cover a period of 6 to 12 months, but this period may not align with every user entity's calendar or fiscal year. For instance, if a SOC report covers the period from October 1, 2023, to September 30, 2024, but the user entity's fiscal year ends on December 31, 2024, there is a three-month gap that the SOC report is not covering. Therefore, a bridge letter helps to cover this gap by confirming that there have been no material changes to the internal controls during this period.
Example of a SOC Bridge Letter
Below is an example of a SOC bridge letter:
[Service Organization Letterhead]
Date
Re: SOC 2 Type II Audit Report Bridge Letter
To Whom It May Concern:
We have received your request for information regarding the internal controls related to our System and Organization Controls (SOC) 2 Type II audit. Our most recent SOC 2 Type II audit was conducted by [Service Organization] and includes tests of operating effectiveness for the period November 1, 2023, to October 31, 2024.
[Service Organization] recognizes the need to maintain an appropriate internal control environment and report upon the effectiveness of, as well as any material changes to, its internal controls in a timely manner. For the period of November 1, 2024, to December 31, 2024, there have been no material changes to the design and effectiveness of the internal controls or procedure environment as described in [Company Name]'s October 31, 2024, SOC 2 Type II Report.
Name
Title
Signature
This letter provides an assertion to clients that the internal controls have remained effective and unchanged during the gap period. It is important to note that a bridge letter is not a substitute for a SOC report but serves as an interim measure until the next SOC report is issued.
For additional guidance, reach out to the Larson SOC Team.
Frequently Asked Questions About SOC reports
What is a SOC report?
A SOC (System and Organization Controls) report is an independent examination performed by a CPA that evaluates a service organization’s internal controls related to financial reporting or data security.
What is the difference between SOC 1 and SOC 2?
SOC 1 focuses on controls impacting financial reporting, while SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy under the Trust Services Criteria.
What is the difference between Type I and Type II SOC reports?
A Type I report evaluates the design of controls at a specific point in time. A Type II report assesses both the design and operating effectiveness of controls over a defined period.
Who needs a SOC audit?
Service organizations that handle client financial data or sensitive information often pursue SOC audits to meet regulatory requirements, contractual obligations, or customer expectations.
How long does a SOC audit take?
The timeline depends on readiness and report type. Type I audits are typically shorter, while Type II reports require several months of control operation and testing before issuance.
.png)
