article banner
Advisory

Managing virtual currency risk with SOC

The virtual asset space is developing at an astonishing rate. A technology that barely existed over a decade ago is now arguably spawning one of the greatest financial revolutions of our age—introducing countless innovative and never-before-seen products, services and business models. But just as it’s hard to deny the tremendous potential this technology has to offer, it’s difficult to ignore its associated risks—whether perceived or otherwise.

While the world made tremendous progress in 2018 from a virtual asset regulation and risk management perspective—incorporating the industry into existing and new regulatory and risk management frameworks—there is still a way to go. With no formally-enacted regulatory requirements or guidelines in place in Canada, virtual asset risk management is still a best practice undertaking—which means companies must take it upon themselves to ensure they’re doing what it takes to protect the best interests of their customers.


To do this, they must look more critically—and thoroughly—
at their internal control structures. One way of doing this is through undertaking a System and Organization Controls (SOC) attestation engagement.

Download the full guide to learn more about obtaining a System and Organization Control (SOC) attestation report

A primer: What are SOC attestation engagements?

The purpose of a System and Organization Controls (SOC) engagement is to validate that a user entity (the recipient of services being provided by a third party) or service organization (the entity providing the services) is operating as efficiently as possible, while minimizing risks and offering the best quality service. These exams are performed by service auditors and must meet the
attestation standards set out by the American Institute of Certified Public Accountants (AICPA) (for companies in the United States) and the Canadian Standard on Assurance Engagements (for companies situated in Canada).

The standards vary depending on the type of company and the subject matter being reported on. As such, they are broken down into three different types of reports: SOC 1, SOC 2 and SOC 3. There are different reasons why an entity might want to choose one over the other, which are outlined in the chart below:

What does the engagement test?

SOC 1 report

An organization’s financial reporting controls.

SOC 2 & SOC 3 reports

An organization’s controls relative to security, availability, processing integrity, confidentiality and/or privacy.

What is the purpose of the engagement?

SOC 1 report

To provide information to a relevant stakeholder (e.g., a user entity, including its auditors) about an organization’s financial reporting controls. It enables the user auditor to perform risk assessment procedures and, depending on the type of report sought, assess the risk of material misstatement of financial statement assertions.

SOC 2 report

To provide an organization’s management team, as well as other specified parties, with a Certified/Chartered Professional Accountant’s (CPA) opinion about controls at the organization that may affect the entity’s security, availability, processing integrity, confidentiality or privacy.

SOC 3 report

To provide interested parties (e.g., banking partners, investors,
customers and the public) 
with a Certified/Chartered Professional Accountant’s (CPA) opinion about how an organization’s existing
controls may affect the entity’s security, availability, processing integrity, confidentiality or privacy.

What is the outcome of the engagement?

SOC 1 & SOC 2 reports

Type 1 report: A report on the description of controls at a point in time, provided by management of the organization, which attests that the controls are suitably designed and implemented.

Type 2 report:  A report on the description of controls over a period of time, provided by management of the service organization, which attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.

SOC 3 report

The auditor’s report on whether the entity maintained effective
controls over its system as it relates to the criteria being reported on (e.g., security, privacy, etc.)

Who is the audience/intended user of the report?

SOC 1 report

Restricted use – SOC 1 reports are intended for auditors of the user entity’s
financial statements, management of the user entity and management of the service organization.

SOC 2 report

Restricted use – SOC 2 reports are intended for an audience that has prior knowledge and understanding of the system, such as management of an organization.

SOC 3 report

Anyone – SOC 3 reports can be shared openly with the public and posted
on a company’s website with a seal indicating their compliance.