The virtual asset space is developing at an astonishing rate. A technology that barely existed over a decade ago is now arguably spawning one of the greatest financial revolutions of our age—introducing countless innovative and never-before-seen products, services and business models. But just as it’s hard to deny the tremendous potential this technology has to offer, it’s difficult to ignore its associated risks—whether perceived or otherwise.
While the world made tremendous progress in 2018 from a virtual asset regulation and risk management perspective—incorporating the industry into existing and new regulatory and risk management frameworks—there is still a way to go. With no formally-enacted regulatory requirements or guidelines in place in Canada, virtual asset risk management is still a best practice undertaking—which means companies must take it upon themselves to ensure they’re doing what it takes to protect the best interests of their customers.
To do this, they must look more critically—and thoroughly—
at their internal control structures. One way of doing this is through undertaking a System and Organization Controls (SOC) attestation engagement.
Download the full guide to learn more about obtaining a System and Organization Control (SOC) attestation report
The purpose of a System and Organization Controls (SOC) engagement is to validate that a user entity (the recipient of services being provided by a third party) or service organization (the entity providing the services) is operating as efficiently as possible, while minimizing risks and offering the best quality service. These exams are performed by service auditors and must meet the
attestation standards set out by the American Institute of Certified Public Accountants (AICPA) (for companies in the United States) and the Canadian Standard on Assurance Engagements (for companies situated in Canada).
The standards vary depending on the type of company and the subject matter being reported on. As such, they are broken down into three different types of reports: SOC 1, SOC 2 and SOC 3. There are different reasons why an entity might want to choose one over the other, which are outlined in the chart below:
SOC 1 report
An organization’s financial reporting controls.
SOC 2 & SOC 3 reports
An organization’s controls relative to security, availability, processing integrity, confidentiality and/or privacy.
SOC 1 report
To provide information to a relevant stakeholder (e.g., a user entity, including its auditors) about an organization’s financial reporting controls. It enables the user auditor to perform risk assessment procedures and, depending on the type of report sought, assess the risk of material misstatement of financial statement assertions.
SOC 2 report
To provide an organization’s management team, as well as other specified parties, with a Certified/Chartered Professional Accountant’s (CPA) opinion about controls at the organization that may affect the entity’s security, availability, processing integrity, confidentiality or privacy.
SOC 3 report
To provide interested parties (e.g., banking partners, investors,
customers and the public) with a Certified/Chartered Professional Accountant’s (CPA) opinion about how an organization’s existing
controls may affect the entity’s security, availability, processing integrity, confidentiality or privacy.
SOC 1 & SOC 2 reports
Type 1 report: A report on the description of controls at a point in time, provided by management of the organization, which attests that the controls are suitably designed and implemented.
Type 2 report: A report on the description of controls over a period of time, provided by management of the service organization, which attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.
SOC 3 report
The auditor’s report on whether the entity maintained effective
controls over its system as it relates to the criteria being reported on (e.g., security, privacy, etc.)
SOC 1 report
Restricted use – SOC 1 reports are intended for auditors of the user entity’s
financial statements, management of the user entity and management of the service organization.
SOC 2 report
Restricted use – SOC 2 reports are intended for an audience that has prior knowledge and understanding of the system, such as management of an organization.
SOC 3 report
Anyone – SOC 3 reports can be shared openly with the public and posted
on a company’s website with a seal indicating their compliance.
This website uses cookies to provide necessary site functionality, monitor performance, give you access to products and services that are most relevant to you, and improve the online user experience. For further information about how we use cookies, please visit our Privacy Statement. For information on how to adjust your cookie preferences including how to delete cookies, please consult your browser’s “Help” function.
