This is the first post in a 4-part series on SOC reporting basics within the cryptocurrency ecosystem. Part 1 provides basic introduction to SOC reporting. Part 2 breaks down the various types of SOC reports. Part 3 discusses SOC reporting in the cryptocurrency space. Part 4 is a simple guide for cryptocurrency firms interested in getting started.
SOC audits and reports are prevalent in many industries. Within recent years, SOC reporting has made its way into the crypto ecosystem. In order to understand SOC’s relevance in crypto, it’s helpful to understand where they came from. This post provides a basic introduction to the background of SOC reporting.
SOC Official Definition
As described on AICPA’s official website, “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.”
Let’s break that down.
SOC Background and Context
The AICPA, or American Institute of Certified Public Accountants, is the professional organization for Certified Public Accountants (CPAs) in the US. Among its many other functions, the AICPA sets standards for organizations from private firms to governmental agencies.
A CPA is a qualified, licensed public accountant. CPAs must pass a rigorous exam to achieve this certification, which allows them to perform accounting services to the public. One type of such services, assurance services, aims to help an organization’s stakeholders — such as its leaders, customers, and investors — make more informed decisions. This is achieved through the assessment of organizational information by the CPA, using a standard AICPA-defined framework in order to reduce risk. An audit is a type of assurance service.
During an audit, examiners review some or all of an organization’s information in order to ensure their, “records are a fair and accurate representation of the transactions they claim to represent” (Investopedia). Audits typically look at financial information and can be conducted either internally or externally. Internal audits leverage teams within an organization, usually with the purpose of monitoring and improving internal controls and processes.
External audits are performed, typically, by CPAs from independent third parties with the purpose of reviewing an organization’s standards, controls, and information integrity. The output is a report, or series of reports, that summarizes current practices and provides recommendations that, depending on the type of audit, improve transparency and minimize risk factors.
So, what’s a SOC Report?
A SOC report is the end product of a SOC audit. How’s that for a circular definition?
Remember, SOC stands for System of Organization Controls, which is a suite of offerings related to a service organization’s controls. A SOC audit is an engagement wherein the CPA firm works with the organization to review its system controls using the AICPA-defined SOC standards. A SOC report, therefore, is the output of that audit, the CPA’s synthesis of information uncovered throughout the engagement.
Assurance and attestation are essential elements of SOC reporting. Trust is a short-hand way to think about what assurance is. In other words, can an organization’s stakeholders, such as its customers and investors, trust the organization is doing what they say they are? Attestation, on the other hand, is effectively a third party saying, “XYZ organization does (or does not) have proper controls in place, and do (or do not) report information accurately and transparently.”)
Of course, this is a gross oversimplification. If you’re interested in learning more, check out the official standards for these types of engagements.
Okay…but, what’s a SOC Report?
The question is a bit misleading because there are actually multiple flavors of SOC reports. We’ll get into specifics in <part 2> but this chart serves as a good mental model that will guide our understanding.*
Key Takeaways for Part 1:
- SOC, or System and Organization Controls, refers to a suite of services that licensed CPAs can provide to service organizations.
- SOC audits are conducted using an AICPA-defined framework intended to assess an organization’s systems and controls around financial reporting and other related trust mechanisms.
- SOC reports are issued at the end of a SOC audit. There are three main types, two of which are categorized by a sub-type.
- All SOC reports must be issued by a licensed CPA firm
Now, let’s dive into what this stuff actually means in part 2.
