Systems and Organizational Controls (SOC) is an auditing standard that has its roots in financial systems and auditing. SOC audits come in three (3) flavors with SOC Type 1 being the simplest form of SOC audit.  SOC Type 1 audits are third-party audits of accounting and financial controls at an organization. It provides an independent opinion on how well a company keeps their financial house in order. SOC 2 audits can get into other controls around security, availability, process integrity, confidentiality or privacy.

SOC 1 is further broken down into two forms of audits: a SOC 1 Type I and SOC 1 Type II. Type I audits are performed at a particular point in time and date whereas a SOC 1 Type II report is based on testing controls over a period of time (most typically 9 to 12 months). Type II report’s are viewed as more reliable in general.

Criticism of SOC Audits:

All organizations are different and unique.  SOC auditing does not specify a minimum set of Organizational Controls to be created and tested. Good audit firms will provide suggestions on improvements for additional controls if they are missing, however the organization itself generally sets the controls to be reviewed in a 3rd party audit.  The general criticism here is that if a control is not specified by the company under audit, perhaps it is because they are failing at that control.  Yet, they will pass an audit without the control included.  Therefore, it is always important to review a SOC audit with an eye to what controls should be expected and to hold a company accountable for missing controls in their SOC audits.

Source: InfoSecurity Magazine

What does this mean for an SMB?

SMBs should always be taking steps to build a strong set of organizational controls.  This is true of financial controls but also of cybersecurity controls. Most SMBs will not find enough value to perform their own SOC audit outside of some regulatory requirement, however, very mature SMBs may wish to codify their processes, test them internally, and then schedule an external 3rd party test through a SOC 1 Type II or SOC2 Type II audit. Type 1 audits are generally not worth the effort.
The problem for SMBs and SOC audits is that they aren’t cheap to prepare for nor to hire an outside firm to complete (often they start around $20,000)

. Yet, there are ways SMBs can begin to build their formal processes and perform a minimal internal Risk Assessment. CyberHoot has helped many businesses identify the gaps in their security programs through our assessments module which contains cybersecurity, PCI, and HIPAA based assessment questionnaires. Risk Assessments and SOC audits are strong ways to start securing your business. CyberHoot can play a pivotal role in preparing companies for such auditing through its policy and process management, training programs, and phish testing. Email to get more information!  

To learn more about SOC 1 and SOC 2, watch this short video:

Are you doing enough to protect your business?

Sign up with CyberHoot today and sleep better knowing your

employees are cyber trained and on guard!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.