This is the second post in a 4-part series on SOC reporting basics within the cryptocurrency ecosystem. Part 1 provides basic introduction to SOC reporting. Part 2 breaks down the various types of SOC reports. Part 3 discusses SOC reporting in the cryptocurrency space. Part 4 is a simple guide for cryptocurrency firms interested in getting started.
SOC audits and reports are prevalent in many industries. Within recent years, SOC reporting has made its way into the crypto ecosystem. In order to understand SOC’s relevance in crypto, it’s helpful to understand where they came from. This post provides a basic introduction to the background of SOC reporting.
SOC Official Definition
As described on AICPA’s official website, “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.”
In part 1, we broke that down in order to understand the wider context for SOC reporting. Part 1 closed with a basic chart that we’ll now take a closer look at in order to understand the differences between different types of SOC reports.
SOC Report Breakdown
Before we look at the differences between SOC 1 vs SOC 2 vs SOC 3, let’s clarify what the leftmost rows mean:
- Internal Control Over Financial Reporting (ICFR) — assesses how effective an organization’s financial reporting controls are, specifically as pertaining to the effect on users
- Trust Service Principles — designed to address information security, assesses an organization’s controls pertaining to: Security, Availability, Processing Integrity, Confidentiality, Privacy
- Restricted Use — describes who the report’s intended audience is
- Type 1 — think snapshot, or one-off; “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.” [AICPA]
- Type 2 — similar to Type 1, but over a specified period of time, as opposed to a snapshot
Now, let’s look at what these terms mean within the context of each report type:
SOC 1
SOC 1 (IFCR) reports look specifically at the organization’s internal controls around financial reporting, specifically related to customer’s financial reporting. Many organizations outsource aspects of their business to service organizations. As such, the organizations doing the outsourcing rely on the service organization’s financial statements to make business decisions. SOC 1 reports assess the service organization’s financial reporting mechanisms and evaluate their effect on the client’s financial statements.
SOC 1 Type 1 reports look at the service organization’s overall system of financial reporting controls at a specific point in time.
SOC 1 Type 2 reports look at these same controls, but instead evaluate their effectiveness to achieve control objectives over a certain period of time.
Due to the sensitive nature of information in SOC 1 reports, they are restricted to the service organization’s leadership, the organization’s customers/users, and the auditors.
SOC 2
SOC 2 reports assess the service organization’s ability to meet the five Trust Service Principles. These reports are intended to give assurance to the service organization’s users that the organization’s controls are sufficient in upholding these principles, which, in turn, informs critical business processes such as risk management. As indicated by AICPA, “these reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Similar to SOC 1 reports, SOC 2 Type 1 reports look at the overall system’s design of controls. SOC 2 Type 2 reports, alternatively, look at the system’s operational effectiveness over a period of time.
Again, like SOC 1 reports, the sensitive information contained in SOC 2 reports restrict their audience.
SOC 3
SOC 3 reports are similar to SOC 2 reports in that they are designed to meet the needs of a service organization’s users who seek assurance regarding controls around the Trust Service Principles. However, there is a key between SOC 2 and SOC 3 reports.
SOC 3 reports are general use. That means anyone can view them and they can be freely distributed. This is due to the fact that SOC 3 reports contain less sensitive information about the controls specifies compared to SOC 2 reports.
If you go to a company’s website and they have links to SOC reports, you can almost always safely assume that you’re looking at a SOC 3 report.
Resources
This piece is an elementary breakdown of SOC reporting. If you’re interested in learning more, there are plenty of great resources out there. Here are a few to get you started:
- AICPA’s SOC Homepage — overview of the SOC Suite of Services. Includes links to official descriptions for SOC 1, SOC 2 & SOC 3
- 1-Minute Overview — quick video from licensed CPA firm KirkpatrickPrice describing basic differences between SOC 1 vs SOC 2 vs SOC 3 Reports
- Does Your Block Need a SOC? — “A casual, but informative read for technical and non-technical executives on the role of third-party assurance over blockchains and other things crypto.” Part 1 of 3-part series from Noah Buxton, Director, Blockchain, Risk Assurance & Advisory at AraminoLLP.
- SOC Wikipedia Page — succinct overview of report levels and types as well as the 5 Trust Service Principles reports focus on
Next, we will discuss SOC reporting in the cryptocurrency space in part 3.
