System and Organisation Controls (SOC) Reports

Risk Advisory Services

Organisations today face more frequent and sophisticated security threats than ever before. A SOC report can provide transparency over your controls and those of your service providers to ensure organisational data is adequately protected. 

Many organisations have come across System and Organisation Control (SOC) reports before however it can be confusing which type of SOC report is the most effective to demonstrate the adequacy of the control environment, especially when it comes to obtaining assurance from third parties, or providing assurance to customers.

Typically SOC 1 reports focuses on internal controls over financial reporting, with a Type 1 report assessing the design and implementation of controls, at a point in time. A Type 2 report assesses the design and implementation as well as the operating effectiveness of controls over a defined period of time.

With the trending focus of interest in Trust Services Criteria (TSC) in security, availability, processing integrity, confidentiality and privacy, a SOC 2 report has gained more popularity.

This is because an organisation must articulate their controls and how these will protect organisational data.

RSM has extensive experience in conducting SOC 1 and SOC 2 audits, and SOC readiness assessments, and can work with your organisation to determine which is the best report based upon your desired objectives and audience. Similarly, we can also assist with assessing the SOC reports provided by your third parties to determine any key control weaknesses, or gaps in responsibilities and/or assurance.

Below is a table that outlines the key differences between a SOC 1 and SOC 2 report:

Have you been given a SOC report from one of your third parties, and being expected to understand exactly what you have and do not have assurance over? Or perhaps had a customer ask for a SOC report, and not having anything to provide for assurance? We can help.

Understanding what report you may need, and how to start getting prepared is no easy feat. RSM is here to support you every step of the way, and clearly outline what is involved and expectations upfront to assist you with planning for resources, evidence gathering, key deliverables, and timelines from planning through to report distribution.

Benefits of SOC reports

All organisations will benefit from RSM’s experience with SOC reports. We have experience with assessing SOC reports as assurance from third parties, undertaking SOC readiness assessment prior to organisations committing to a formal SOC report, and also undertaking the SOC report process itself. If you wish to be able to clearly demonstrate your organisation’s control environment to an external audience in a clear and consistent manner, you will benefit from a SOC report.

Who needs this?

All organisations will benefit from RSM’s experience with SOC reports. Whether it be interpreting a SOC report from a third party, or undergoing the SOC report process itself, we will work with you to understand your needs, and tailor an approach accordingly to address key focus/concern areas.