SOC Reporting Services
Keeping sensitive client information secure is essential to your reputation and ability to serve clients. Today, many clients insist on proof that organizations they work with have adequate controls in place to protect against the threat of a breach.
To address this, the American Institute of Certified Public Accountants (AICPA) has developed system and organization controls (SOC) reports that can demonstrate the control activities that organizations have implemented over the processing of financial transactions or data (SOC 1), or actions that organizations have taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information (SOC 2).
SOC reports communicate to regulators, business partners, and clients that appropriate internal controls have been designed and implemented within your organization. By performing SOC engagements, we can assist your team’s efforts to demonstrate your organization’s ability to meet the service requirements of your clients and to address relevant risks in providing the services.
SOC 1 – SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
Attestation Standard: SSAE18
What is a SOC 1 Report?
The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.
There are two types of SOC 1 reports:
SOC 1 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to achieve objectives as of a specified date.
SOC 1 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to achieve objectives; however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 2 – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
Attestation Standard: SSAE18
What is a SOC 2 Report?
The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Use of these reports is restricted.
There are two types of SOC 2 reports:
SOC 2 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to mitigate risks related to their services — as they pertain to users — as of a specified date.
SOC 2 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to mitigate risks related to their services — as they pertain to users — however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
Attestation Standard: SSAE18
What is a SOC 3 Report?
The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.
SOC Readiness Engagements
Often, service organizations are unprepared for the results of the actual SOC 1 or SOC 2 examination, which may result in a delayed engagement, changes to the scope or reporting period, or even a “qualified opinion.” A SOC Readiness Engagement is an efficient means to prepare for your formal examination engagement. Our readiness engagements provide guidance regarding the scope of the examination engagement and identify to management where remediation is necessary to ensure that the control objectives (SOC 1) or applicable trust services criteria (SOC 2) are achieved. These engagements also help you to present the control activities already in place and allow consideration of whether appropriate documentation is maintained so that the operation of controls may be tested in the SOC 1 or SOC 2 engagement.
High Level “Quick Hit” Readiness Engagements are accomplished through interviews and reviews of any existing policies and procedures. We consider the design of controls only, with the deliverable focusing on the objectives or criteria where remediation is necessary.
Detailed Readiness Engagements consider both the design and implementation of controls. Our professionals will consider the design of controls in place, and then perform walkthroughs of those key controls to determine whether they have been implemented as designed.
Who benefits from SOC Readiness Engagements?
- Organizations contemplating their first SOC 1 or SOC 2 engagement
- Organizations transitioning from one SOC report to another (i.e., SOC 1 to SOC 2)
What kinds of companies need SOC reports? Organizations that provide the following types of services for customers/clients may benefit from a SOC examination and report to demonstrate to customers/clients the strength of their internal controls: Software as a Service Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s) Professional Services with Access to Sensitive Client Data (e.g, […]
The Internet of Things (IoT) has the opportunity to have a profound impact on the manufacturing sector for both large and small businesses. Whether it is monitoring operations on the factory floor, monitoring the health of specific manufacturing equipment, increasing connectivity between the supply chain, manufacturers, and consumers, or gaining valuable data insights, there are scores […]
A hot topic of many conversations recently has been cyber security. Are not-for-profit organizations at risk? If so, what should be done to address the risks? Not-for-profit organizations handle sensitive data every day, which make them a prime target for an attacker. Reputation is everything to a not-for-profit organization, and a data breach or other […]