BLOG

System and Organization Controls Reports

February 15, 2021
By: Mckay Hall

The increased connectivity and processing power of computers have enabled some truly remarkable possibilities in management and efficiency for organizations, as well as at home.  It’s important to remember that often, though, when there’s improved efficiency and management there’s also an increase in risk.  As organizations become more interconnected, and service providers handle more of the processing and management, the ways our organizations can be compromised increases.  We don’t only have to worry about the risks and controls in our own organizations, but also need to consider the risks and controls in the service providers we use.

To that end, there has been a suite of reports created, known as System and Organization Controls (SOC) reports, which allows an organization to consider the risks and related controls of a service provider.  This can help an organization to better understand its own risks that come from the service provider and decide if the organization needs to take additional steps to address those risks, or if it’s comfortable with the controls the service provider has in place.

There are several types of SOC reports and, generally, they follow a similar framework in their performance, but the area of focus or the end report will differ from one type to the next.  The types of SOC reports currently are:

SOC 1, which are reports focused on the Internal Controls over Financial Reporting (ICFR).  These reports are important in situations where a portion of the organization’s financial process has been outsourced to a service provider.

SOC2, which are reports focused on Trust Services Criteria.  These are five criteria focused on the stability and integrity of an information system or other computerized system.  These reports are important when looking to assess possible risks related to outsourcing some part of an organization’s computer system.

SOC3, which is similar in nature and focus to the SOC 2, but with a different report at the end, which can be distributed much more broadly.

SOC for Cybersecurity, which are reports focused on cybersecurity risk management programs.  These are useful when looking to gain an understanding of a service provider’s risk and controls related to cybersecurity rather than the stability and integrity of their system (SOC2).

SOC for Supply Chain, which are reports focused on a provider’s controls for producing, manufacturing, or distributing goods.

By getting the appropriate report from a service provider and using that report to gain a level of comfort and understanding of the provider’s risks and controls, a company can better understand and reduce its own risks.

Categories

Contact Our Author

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team!

You have Successfully Subscribed!