SOC Reporting Framework

This post introduces to System and Organization Controls (SOC) reporting framework, in the context of compliance with US American law Sarbanes-Oxley Act (SOX).

Regulation Context

The Sarbanes-Oxley Act (SOX or Sarbox) is a United States of America federal law. It mandates certain practices in financial record keeping and reporting for corporations.

It was published in 2002 as a response to finance scandals like Enron, Tyco International, WorldCom and Peregrine.

SOX primarily applies to publicly traded companies in the U.S. It requires these companies to establish and maintain effective internal controls over financial reporting to ensure the accuracy of their financial statements. It mandates the assessment of internal controls, the reporting of any deficiencies, and external audits of these controls.

A subset of these controls is the IT General Controls (ITGC). There is no standard definition of these controls, and they depend on each organization.

In this context, System and Organization Controls (SOC) is a reporting framework that may be used by companies affected by SOX and also other companies to report about internal controls to their stakeholders.

SOC reports are created by audit teams following assurance standards, like the ones featured on this post.

System and Organization Controls (SOC)

System and Organization Controls (SOC) is a reporting framework, that is the combination of a set of reports and assurance standards to develop these reports.

SOC is defined by the American Institute of Certified Public Accountants (AICPA).

You can find a list of type of reports and assurance standards in the next sections.

SOC Reports

There are different types and levels of SOC reports.

A SOC report could have assigned a type and level at the same type, for example, a SOC 2 Type II report.

Types of SOC Reports

Types of SOC reports:

• SOC 1 – Internal Control over Financial Reporting (ICFR). Internal Control over Financial Reporting (ICFR)
• SOC 2 – Trust Services Criteria. covers controls related to security, availability, processing integrity, confidentiality, and privacy. It is used by organizations to demonstrate their commitment to these key aspects of their services.
• SOC 3 – Trust Services Criteria for General Use Report. It is a summarized version of the SOC 2 report that can be shared with a wider audience, including the general public.

Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain.

Levels of SOC Reports

Level of SOC reports:

• Type 1: assessment of the design of controls at a specific point in time
• Type 2: assessment of the operating effectiveness of identified controls over a specified period

These levels are defined by the SOC assurance standards.

SOC Assurance Standards

SOC assurance standards offer guidelines for reporting on controls at service organizations to provide assurance to users and stakeholders about the effectiveness of these controls.

List of assurance standards for reporting on control included in SOC:

• ISAE 3402
• SSAE 18
• SAS 70

ISAE 3402

The International Standard on Assurance Engagements 3402 (ISAE 3402) is an assurance standard of international scope. It is titled “Assurance Reports on Controls at a Service Organization“.

Is is issued by the International Auditing and Assurance Standards Board (IASSB).

It was designed to align with international auditing and assurance standards. Thus, it is the assurance standard used for SOC in an international context.

ISAE 3402 is considered to cover SOC 1 reports, but not SOC 2 and SOC 3.

SSAE 18

Statement on Standards for Attestation Engagements Number 18 (SSAE No. 18, or SSAE 18) is an assurance or attestation standard of US American scope. It is used for external audits.

It is issued by the American Institute of Certified Public Accountants (AICPA).

SSAE No. 18 superseded other previous SSAE publications, including SSAE No. 16.

It is the assurance standard used for SOC in a national US American context.

SAS 70

State on Auditing Standards No. 70 (SAS 70) was a report standard, under the title “Reports on the processing of transactions by service organizations“.

It was issued by the American Institute of Certified Public Accountants (AICPA) in 1991.

It was superseded by SSAE No. 16, that was later superseded by SSAE No. 18.

External references

• Wikipedia; “System and Organzation Controls“; Wikipedia
• Wikipedia; “ISAE 3402“; Wikipedia
• Wikipedia; “SSAE No. 18“; Wikipedia