fbpx

SOC Reporting Services

Keeping sensitive client information secure is essential to your reputation and ability to serve clients. Today, many clients insist on proof that organizations they work with have adequate controls in place to protect against the threat of a breach.

To address this, the American Institute of Certified Public Accountants (AICPA) has developed system and organization controls (SOC) reports that can demonstrate the control activities that organizations have implemented over the processing of financial transactions or data (SOC 1), or actions that organizations have taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information (SOC 2).

SOC reports communicate to regulators, business partners, and clients that appropriate internal controls have been designed and implemented within your organization. By performing SOC engagements, we can assist your team’s efforts to demonstrate your organization’s ability to meet the service requirements of your clients and to address relevant risks in providing the services.

SOC 1 – SOC for Service Organization: ICFR

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

Attestation Standard: SSAE18

What is a SOC 1 Report?

The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.

There are two types of SOC 1 reports:

SOC 1 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to achieve objectives as of a specified date.

SOC 1 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to achieve objectives; however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.

SOC 2 – SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy

Attestation Standard: SSAE18

What is a SOC 2 Report?

The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Use of these reports is restricted.

There are two types of SOC 2 reports:

SOC 2 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to mitigate risks related to their services — as they pertain to users — as of a specified date.

SOC 2 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to mitigate risks related to their services — as they pertain to users — however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.

SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

Attestation Standard: SSAE18

What is a SOC 3 Report?

The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.

SOC Readiness Engagements

Often, service organizations are unprepared for the results of the actual SOC 1 or SOC 2 examination, which may result in a delayed engagement, changes to the scope or reporting period, or even a “qualified opinion.” A SOC Readiness Engagement is an efficient means to prepare for your formal examination engagement. Our readiness engagements provide guidance regarding the scope of the examination engagement and identify to management where remediation is necessary to ensure that the control objectives (SOC 1) or applicable trust services criteria (SOC 2) are achieved. These engagements also help you to present the control activities already in place and allow consideration of whether appropriate documentation is maintained so that the operation of controls may be tested in the SOC 1 or SOC 2 engagement.

High Level “Quick Hit” Readiness Engagements are accomplished through interviews and reviews of any existing policies and procedures. We consider the design of controls only, with the deliverable focusing on the objectives or criteria where remediation is necessary.

Detailed Readiness Engagements consider both the design and implementation of controls. Our professionals will consider the design of controls in place, and then perform walkthroughs of those key controls to determine whether they have been implemented as designed.

Who benefits from SOC Readiness Engagements?

  • Organizations contemplating their first SOC 1 or SOC 2 engagement
  • Organizations transitioning from one SOC report to another (i.e., SOC 1 to SOC 2)
IT Strategy Considerations for Construction Companies

IT Strategy Considerations for Construction Companies

As with many industries, the construction industry is beginning to see a change in how technology can enable aspects of many processes.  However, with an average spend of approximately 1.5% of revenue on information technology (the lowest among any industry), construction companies must ask themselves, “are we deploying our IT resources in the most effective […]

Learn More
Requesting a SOC Report

Requesting a SOC Report

The significance of managing risks associated with your vendors is more important than ever. As more companies outsource key processes, technologies, and data management and storage, many control activities are no longer directly performed by company personnel. However, the responsibility for those controls still resides with your company. Outsourcing exposes your organization to risk and […]

Learn More
FAQ: System and Organization Controls (SOC) Reports

FAQ: System and Organization Controls (SOC) Reports

What kinds of companies need SOC reports? Organizations that provide the following types of services for customers/clients may benefit from a SOC examination and report to demonstrate to customers/clients the strength of their internal controls: Software as a Service Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s) Professional Services with Access to Sensitive Client Data (e.g, […]

Learn More

Connect with our team.

To learn more about our IT advisory services, contact our team here.

Send us a message.