In the traditional financial services industry, common third-party service providers such as custodians, exchanges and fund administrators leverage SOC (System and Organization Controls) reports conducted by independent external auditors to build stakeholder trust and confidence. The interest in attaining SOC reports has been driven by the recognition that the reports disclose important information about third-party provider controls that end-users need to comprehensively assess and address the risks of outsourced core capabilities. The adoption of the SOC reporting standard by digital asset service providers speaks to the industry’s maturation and belief in providing stronger and more standardized assurances and transparency to stakeholders.
Independent audit firms (known as service auditors) perform SOC examinations on companies (service organizations) based on guidelines established by the American Institute of Certified Public Accountants (AICPA). SOC examinations are tests of internal controls and processes that impact an organization’s end users. AICPA’s SOC reporting framework presents three reporting options – SOC 1, SOC 2 and SOC 3. The types of services and systems a company offers along with user-specific needs informs the type and scope of audit an organization should obtain.
To learn more about the differences between the main reports, and how these reports apply to digital asset service providers, download the full piece below.