Attention businesses….has your organization had a SOC (service organization control) report in recent years? Make sure you’re ready for your next examination, and be mindful that compliance with new reporting standards is required for reports dated on or after December 15, 2018. Read on to see what’s changed for 2018 and beyond.

What is a SOC report?

To refresh your memory, service organization control (SOC) audits, or internal control reports are a great way for customers to ensure that service providers are practicing safe and secure controls and protecting your personal data.

If you or your company is considering hiring a service provider, you should ask to review the vendor’s SOC report prior to engaging them so that you can get an accurate understanding of the organization’s controls and the risks associated with their services.

There are 3 types of SOC reports- SOC 1, SOC 2 and SOC 3.

Which companies require a SOC report?

Companies that may need a SOC report include service organizations that perform a financial reporting function or handle sensitive information on behalf of their customers.

Important changes to note

Effective December 15^th, SOC will now stand for System and Organization Controls. Additionally, “trust services principles” under SOC 2 reports will now be known as “trust services criteria” and the lower-case-p principles (security, availability, processing integrity, confidentiality, and privacy) are now the “Trust Services Categories.”

1. The trust services criteria are now aligned with what is known as the COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2013 framework, which publicly traded companies use to assess their own entity-wide controls as they relate to fraud and misappropriation of assets and data. With this update, you’ll need to perform a “gap analysis”. A gap analysis is a method of assessing your business’ current controls to identify differences between your current state of controls and where they should be.

Once you pinpoint where your controls don’t align, you’ll be able to address the gaps.

2. Supplemental criteria to better address cybersecurity risks- The COSO Framework includes seventeen categorized principles of internal control that organizations must follow. The categories are as follows:

• Control environment
• Communication and information
• Risk assessment
• Monitoring activities
• Control activities

To better address cyber risks, the trust services criteria were further modified and organized into additional categories:

• Logical and physical access controls
• System operations
• Change management
• Risk mitigation

3. Additional description criteria requirements- The description criteria provide a description of a service organization’s system in a SOC 2 report. There are two major changes you should note—

• Service organizations must now be more transparent about service commitments and system requirements- The new description criteria holds that service organizations must describe their principal service commitments and system requirements in the description. This change was made in hopes that users will be able to understand the objectives that drive the system and users will now have a standard by which they can measure the effectiveness of the organization’s internal controls.
• Service organizations must disclose certain incidents- The organization is required to disclose any incident that occurred during the audit period or affected the service organization’s ability to meet its service commitments or system requirements.

Why is there an increased need for SOC reports in 2018 and beyond?

The threat landscape is changing, and businesses are dealing with an increased demand for transparency and assurance surrounding controls and processes. Organizations have no choice but to evolve!

Questions on SOC reporting and what you need to do before December 15^th? Reach out to me or any member of our SOC Services Team.