This post introduces to System and Organization Controls (SOC) reporting framework, in the context of compliance with US American law Sarbanes-Oxley Act (SOX).
The Sarbanes-Oxley Act (SOX or Sarbox) is a United States of America federal law. It mandates certain practices in financial record keeping and reporting for corporations.
It was published in 2002 as a response to finance scandals like Enron, Tyco International, WorldCom and Peregrine.
SOX primarily applies to publicly traded companies in the U.S. It requires these companies to establish and maintain effective internal controls over financial reporting to ensure the accuracy of their financial statements. It mandates the assessment of internal controls, the reporting of any deficiencies, and external audits of these controls.
A subset of these controls is the IT General Controls (ITGC). There is no standard definition of these controls, and they depend on each organization.
In this context, System and Organization Controls (SOC) is a reporting framework that may be used by companies affected by SOX and also other companies to report about internal controls to their stakeholders.
SOC reports are created by audit teams following assurance standards, like the ones featured on this post.
System and Organization Controls (SOC)
System and Organization Controls (SOC) is a reporting framework, that is the combination of a set of reports and assurance standards to develop these reports.
SOC is defined by the American Institute of Certified Public Accountants (AICPA).
You can find a list of type of reports and assurance standards in the next sections.
There are different types and levels of SOC reports.
A SOC report could have assigned a type and level at the same type, for example, a SOC 2 Type II report.
Types of SOC Reports
Types of SOC reports:
- SOC 1 – Internal Control over Financial Reporting (ICFR). Internal Control over Financial Reporting (ICFR)
- SOC 2 – Trust Services Criteria. covers controls related to security, availability, processing integrity, confidentiality, and privacy. It is used by organizations to demonstrate their commitment to these key aspects of their services.
- SOC 3 – Trust Services Criteria for General Use Report. It is a summarized version of the SOC 2 report that can be shared with a wider audience, including the general public.
Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain.
Levels of SOC Reports
Level of SOC reports:
- Type 1: assessment of the design of controls at a specific point in time
- Type 2: assessment of the operating effectiveness of identified controls over a specified period
These levels are defined by the SOC assurance standards.
SOC Assurance Standards
SOC assurance standards offer guidelines for reporting on controls at service organizations to provide assurance to users and stakeholders about the effectiveness of these controls.
List of assurance standards for reporting on control included in SOC:
- ISAE 3402
- SSAE 18
- SAS 70
The International Standard on Assurance Engagements 3402 (ISAE 3402) is an assurance standard of international scope. It is titled “Assurance Reports on Controls at a Service Organization“.
Is is issued by the International Auditing and Assurance Standards Board (IASSB).
It was designed to align with international auditing and assurance standards. Thus, it is the assurance standard used for SOC in an international context.
ISAE 3402 is considered to cover SOC 1 reports, but not SOC 2 and SOC 3.
Statement on Standards for Attestation Engagements Number 18 (SSAE No. 18, or SSAE 18) is an assurance standard of US American scope.
It is issued by the American Institute of Certified Public Accountants (AICPA).
SSAE No. 18 superseded other previous SSAE publications, including SSAE No. 16.
It is the assurance standard used for SOC in a national US American context.
State on Auditing Standards No. 70 (SAS 70) was a report standard, under the title “Reports on the processing of transactions by service organizations“.
It was issued by the American Institute of Certified Public Accountants (AICPA) in 1991.
It was superseded by SSAE No. 16, that was later superseded by SSAE No. 18.