SOC - System and Organization Controls

SOC stands for Controls and represents a group System Organization  of compliance standards developed by the American Institute of CPAs (AICPA) – a network of professionals across the globe. SOC Audits aim to examine all the policies, procedures, and internal controls of an organization. SOC reports are designed to help organizations, that deal with information systems and share their information with other organizations.

Types of SOC Audits and Reports

  SOC 1 (Financial Controls) SOC 2 (IT Controls) SOC 3 (Publicly Shareable)
ABOUT A SOC 1 may be a report on Controls at a Service Organization which are relevant to user entities control over financial reporting. A SOC 2 report is predicated on the prevailing SysTrust and WebTrust principles. The aim of the SOC 2 report is to gauge an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 3 is analogous to SOC 2 is predicated on the prevailing Systrust and WebTrust principles. The difference being, the report doesn't detail the testing performed and is supposed to be used as marketing material
PURPOSE Audits of financial Statements GRC Programs, Oversight, Due Diligence Marketing or General Purpose
INTENDED USERS Financial Statement Auditors, Customers, Related third parties Management, Regulators, Related third parties Anyone with a need for confidence in service organization’s controls
FOCUS ON Internal controls relevant to Financial Reporting Operational controls regarding security, availability, processing integrity, confidentiality or privacy Easy to read report on Controls
Type II
Type I
Type II
EVALUATES Design of Internal Control Operation Effectiveness of Internal Control during review period Design of Internal Control Operation Effectiveness of Internal Control during review period Design of Controls related to SOC2 objectives


Report Types SOC 1 SOC 2
  • Points in time financial audits
  • Focuses on a specific date and includes a description of the structure that a service organization uses.
  • Tests the control system to determine if it’s designed correctly.
  • A day-long audit of your system and security control demonstrate that you understand security best practices and are working on implementing them takes 3-4 months to get certified.
  • Customers and prospects are requesting you to get certified and you’re short on time
  • Over a period of time financial audit
  • Along with a description and design test, it also checks the operating effectiveness of internal practices during that scope of time.
  • SOC 1 report are restricted to the service organization, requesting customer and auditor.
  • A 6-12 moths audit of your systems and security controls demonstrate that you understand and have implemented security best practices
  • You already have some security controls in place and you’d rather not spend the resources doing two separate audits

Trust Services Principles

  • Security
  • Processing Integrity
  • Privacy
  • Confidentiality
  • Availability

Compliance Roadmap

Phase -1: Audit Preparation

  • Define audit scope and overall project timeline
  • Identify existing or required controls through discussion with management and review of available documents
  • Perform readiness review to identify gaps requiring management attestation
  • Communicate prioritized recommendations to address any identified gaps
  • Hold working sessions to discuss alternatives and remediation plans
  • Verify that gaps have been closed before beginning the formal audit phase
  • Determine the most effective audit and reporting approach to address the service provider’s external requirements

Phase -2: Audit Planning

  • Complete advance data collection before on-site work to accelerate the audit process
  • Conduct, on-site meetings and testing
  • Complete off-site analysis of collected information
  • Conduct weekly reporting of project status and identified issues
  • Provide a draft report for management review of the final report
  • Provide an internal report for management containing any overall observations and recommendations for considerations.

Phase -3: Audit Reporting & Attestation

  • Description of your controls and results of our tests
  • Confirmation from client on the report
  • CPA Attestation (Seal and Sign)
  • Project Closure

Visit following sections for more information’s on next step for getting certified from INTERCERT