SOC Reporting Services
Keeping sensitive client information secure is essential to your reputation and ability to serve clients. Today, many clients insist on proof that organizations they work with have adequate controls in place to protect against the threat of a breach.
To address this, the American Institute of Certified Public Accountants (AICPA) has developed system and organization controls (SOC) reports that can demonstrate the control activities that organizations have implemented over the processing of financial transactions or data (SOC 1), or actions that organizations have taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information (SOC 2).
SOC reports communicate to regulators, business partners, and clients that appropriate internal controls have been designed and implemented within your organization. By performing SOC engagements, we can assist your team’s efforts to demonstrate your organization’s ability to meet the service requirements of your clients and to address relevant risks in providing the services.
SOC 1 – SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
Attestation Standard: SSAE18
What is a SOC 1 Report?
The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.
There are two types of SOC 1 reports:
SOC 1 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to achieve objectives as of a specified date.
SOC 1 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to achieve objectives; however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 2 – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
Attestation Standard: SSAE18
What is a SOC 2 Report?
The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Use of these reports is restricted.
There are two types of SOC 2 reports:
SOC 2 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to mitigate risks related to their services — as they pertain to users — as of a specified date.
SOC 2 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to mitigate risks related to their services — as they pertain to users — however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
Attestation Standard: SSAE18
What is a SOC 3 Report?
The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.
SOC Readiness Engagements
Often, service organizations are unprepared for the results of the actual SOC 1 or SOC 2 examination, which may result in a delayed engagement, changes to the scope or reporting period, or even a “qualified opinion.” A SOC Readiness Engagement is an efficient means to prepare for your formal examination engagement. Our readiness engagements provide guidance regarding the scope of the examination engagement and identify to management where remediation is necessary to ensure that the control objectives (SOC 1) or applicable trust services criteria (SOC 2) are achieved. These engagements also help you to present the control activities already in place and allow consideration of whether appropriate documentation is maintained so that the operation of controls may be tested in the SOC 1 or SOC 2 engagement.
High Level “Quick Hit” Readiness Engagements are accomplished through interviews and reviews of any existing policies and procedures. We consider the design of controls only, with the deliverable focusing on the objectives or criteria where remediation is necessary.
Detailed Readiness Engagements consider both the design and implementation of controls. Our professionals will consider the design of controls in place, and then perform walkthroughs of those key controls to determine whether they have been implemented as designed.
Who benefits from SOC Readiness Engagements?
- Organizations contemplating their first SOC 1 or SOC 2 engagement
- Organizations transitioning from one SOC report to another (i.e., SOC 1 to SOC 2)
According to a recent study published in the Annals of Internal Medicine, 34.2% of all U.S. healthcare spending is attributable to administrative costs. In many cases, the administrative overhead of healthcare providers represents a similarly large portion of overall annual expense. In an effort to reduce costs that do not add to the value of […]
Tom Skoog, principal and IT Risk & Advisory Practice Leader at Blue & Co., sat down with the Ohio CPA Society to discuss cyber security in the manufacturing industry. Tom discussed why some manufacturers believe it will never happen to them, how cyber criminals find their targets, how manufacturers can protect themselves and much more. […]
In the current climate, more organizations are being forced into remote work scenarios, whether or not they’re ready. We put together this webinar to discuss best practices and lessons learned to help you be successful in this new environment. We will cover the following topics: Organizational Lessons Learned Technology Basics (for your people) Technology Basics […]
Connect with our team.
To learn more about our services and areas of expertise, send us a message.