SOC

Reporting 101
SOC 2 | RSI Security

858.999.3030 | info@rsisecurity.com
2021
 Understanding SOC Audits
and SOC Reporting
There are three primary SOC standards developed by the American Institute of Certified Public
Accountants (AICPA). A SOC audit involves a comprehensive review of an organization’s con-
trols, related to either financial reporting or information security.

SOC 1 SOC 2 SOC 3

SOC 1 SOC 2 SOC 3

A report on financial An in-depth report on trust A more generalized report on
reporting controls. The service criteria (TSC), also the same TSC, but intended
audience is auditors and intended for a specialized for public presentation.
other specialists. audience.

A SOC 1 report applies to financial

service organizations, or financial
service components of organizations.
SOC 2 and SOC 3 reports both apply
to service organizations more broadly.
Most organizations generate either
a SOC 1 report or a SOC 2 / SOC 3
report—not all three.

RSI Security has been guiding

organizations compliance strategies
for over a decade. Of all the SOC
reports, we specialize in SOC 2 Type 1
and SOC 2 Type 2 reports. Read on to
determine which reports are best for
your organization.
Understanding the
A Type 1 report requires a
SOC Report Types shorter and less intrusive audit,
making it more accessible,
In addition to the three levels of SOC reporting, but the insights generated
there are also two types of reports applicable to
offer less assurance than the
SOC 1 and SOC 2. The type refers to the duration
organization’s controls. A Type
and comprehensiveness of the audit:
2 report takes significantly
longer and can be much more
resource-intensive, but it
offers unparalleled insights
Type 1 into the organization’s controls
in practice—the greatest
A report of the effectiveness of the
assurance of security possible.
implemented controls’ design at a given
point in time (i.e., a “snapshot”).

Type 2
A report on the design and operational
effectiveness of controls, with
assessment occurring over 3-12 months.

There are five kinds of SOC reports an organization

could generate, depending on its needs:

SOC 1 SOC 2 SOC 3

SOC 1 TYPE 1 SOC 2 TYPE 1 SOC 3 TYPE 1

SOC 1 TYPE 2 SOC 2 TYPE 2

Note: SOC 3 reports do not have a “Type” designation, but use a long-term Type 2 audit.

In many cases, organizations generate a Type 1 SOC 1 or SOC 2 report en route to a longer Type 2
report at a later date. For example, a service organization might generate a SOC 2 Type 1 report, then a
SOC 2 Type 2 report (for auditors) and then also a SOC 3 report for the public.
 Selecting the Appropriate SOC Report

When deliberating about which SOC audit to For financial services organizations and
conduct, the first question to ask is: segments, the second question is:
Which kind of organization are we? Or, which What level of detail is required concerning
part of the organization is being audited? controls over financial reporting?

Financial Services Organizations Details about program design

SOC 1
TYPE 1
Payroll and loan processing, Medical claims Generate a SOC 1 Type 1 report
processing, other payment processing

Other Service Organizations Details about program operation

SOC 1
TYPE 2
Software as a Service (SaaS), cloud hosting Generate a SOC 1 Type 2 report
and computing, security service providers

For all other service organizations and For service organizations seeking a report for
segments, the second question is: clients and auditors, there is a third question:
Who is the intended audience for the report on What level of detail is required concerning
information security controls? controls over information security?

Clients and Auditors Details about program design

SOC 2
TYPE 1
See Third Question Generate a SOC 2 Type 1 report

The General Public Details about program operation

SOC 2
SOC 3 TYPE 2
Generate a SOC 3 report Generate a SOC 2 Type 2 report
 Understanding the
Trust Services Principles
In addition to the three levels of SOC reporting, there are also two types of reports applicable to SOC 1
and SOC 2. The type refers to the duration and comprehensiveness of the audit:

SECURITY
Ensuring that information and systems involved in
its collection, use, or storage are protected against
unauthorized access or disclosure compromising
integrity, confidentiality, and privacy.

Security applies to all engagements; the additional criteria may or may not apply
to a SOC 2 or SOC 3 engagement, depending on the specific reasons for the
organization’s audit reporting:

AVAILABILITY CONFIDENTIALITY
Ensuring that all information and systems Ensuring that all information designated
are accessible and meet defined confidential is protected, up to defined
objectives. thresholds and objectives.

PROCESSING INTEGRITY PRIVACY

Ensuring that systems processing is Ensuring that personal or personally
complete, valid, accurate, timely, and identifiable information is protected.
authorized—to meet objectives.
Implementing the Trust Services Criteria
The most critical criteria listed in the TSC framework are the Common Criteria. Within the CC Series, the
most essential are the first five, which correspond directly to the COSO principles upon which the entire
TSC document is based. The five most essential criteria are:

The Control Environment (CC1 Series)

Demonstrating organizational commitment to Demonstrating the board’s independence from

CC1.1 integrity and ethical values CC1.2 management and oversight

Demonstrating clear establishment of reporting Demonstrating a commitment to developing and

CC1.3 structure and responsibilities CC1.4 retaining competent staff

CC1.5 Demonstrating a culture of accountability for internal control responsibilities

Communication and Information (CC2 Series)

Demonstrating the use of relevant information to Demonstrating clear communication of control

CC2.1 support internal controls CC2.2 objectives and responsibilities

CC2.3 Demonstrating communication with external parties regarding internal control

Risk Assessment (CC3 Series)

Demonstrating clear specification of objectives Demonstrating a consideration of fraud with

CC3.1 to enable risk assessment CC3.2 respect to all identified risks

Demonstrating identification and analysis of risks Demonstrating identification and assessment of

CC3.3 threatening its objectives CC3.4 potentially impactful changes
Implementing the Trust Services Criteria
The most critical criteria listed in the TSC framework are the Common Criteria. Within the CC Series, the
most essential are the first five, which correspond directly to the COSO principles upon which the entire
TSC document is based. The five most essential criteria are:

Monitoring of Controls (CC4 Series)

Demonstrating regular evaluations to determine Demonstrating timely, accurate communication of

CC4.1 efficacy of internal controls CC4.2 identified control deficiencies

Design and Implementation of Controls (CC5 Series)

Demonstrating selection and development of Demonstrating development of other technological

CC5.1 adequate risk mitigation controls CC5.2 controls to meet objectives

CC5.3 Demonstrating deployment of controls per well-defined policies and protocols

Beyond these five core concerns, there are four other

Common Criteria Series:

(CC6 Series) (CC8 Series)

Logical and Physical Access Controls Change Management

(CC7 Series) (CC9 Series)

System Operations Management Risk Mitigation

And, beyond all the Common Criteria, there are three supplemental Availability criteria (A Series), two
supplemental Confidentiality criteria (C Series), five supplemental Processing Integrity criteria (PI
Series), and eight supplemental Privacy criteria (P Series).

Depending on the nature of your SOC engagement, you may be assessed on all 13 Series of Criteria, or
only a portion of the supplemental controls specified outside of the Common Criteria.
 www.rsisecurity.com • 858.999.3030 • info@rsisecurity.com

RSI Security’s
SOC 2 Services
RSI Security has helped countless service
organizations generate SOC 2 Type 1 and
SOC Type 2 reports. We offer comprehensive
SOC 2 advisory and assessment services. Our
experts will conduct a readiness assessment to
gauge your organization’s needs and the state
of your cybersecurity controls per the Trust
Service Criteria. Then, we will assist in program
development and acquisition to meet or surpass
all requirements for your assessment. Finally,
RSI Security will conduct the assessment,
either Type 1 or Type 2— leading to a successful
report. We can then assist in long-term
management to maintain compliance.