SOC Reporting Services
Keeping sensitive client information secure is essential to your reputation and ability to serve clients. Today, many clients insist on proof that organizations they work with have adequate controls in place to protect against the threat of a breach.
To address this, the American Institute of Certified Public Accountants (AICPA) has developed system and organization controls (SOC) reports that can demonstrate the control activities that organizations have implemented over the processing of financial transactions or data (SOC 1), or actions that organizations have taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information (SOC 2).
SOC reports communicate to regulators, business partners, and clients that appropriate internal controls have been designed and implemented within your organization. By performing SOC engagements, we can assist your team’s efforts to demonstrate your organization’s ability to meet the service requirements of your clients and to address relevant risks in providing the services.
SOC 1 – SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
Attestation Standard: SSAE18
What is a SOC 1 Report?
The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.
There are two types of SOC 1 reports:
SOC 1 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to achieve objectives as of a specified date.
SOC 1 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to achieve objectives; however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 2 – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
Attestation Standard: SSAE18
What is a SOC 2 Report?
The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Use of these reports is restricted.
There are two types of SOC 2 reports:
SOC 2 – Type 1 attests to whether management has demonstrated that they have designed appropriate controls to mitigate risks related to their services — as they pertain to users — as of a specified date.
SOC 2 – Type 2 is similar to Type 1 in that it attests that management has designed appropriate controls to mitigate risks related to their services — as they pertain to users — however, it also attests that these controls were operating effectively, and covers a specified period of time, rather than one date.
SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
Attestation Standard: SSAE18
What is a SOC 3 Report?
The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.
SOC Readiness Engagements
Often, service organizations are unprepared for the results of the actual SOC 1 or SOC 2 examination, which may result in a delayed engagement, changes to the scope or reporting period, or even a “qualified opinion.” A SOC Readiness Engagement is an efficient means to prepare for your formal examination engagement. Our readiness engagements provide guidance regarding the scope of the examination engagement and identify to management where remediation is necessary to ensure that the control objectives (SOC 1) or applicable trust services criteria (SOC 2) are achieved. These engagements also help you to present the control activities already in place and allow consideration of whether appropriate documentation is maintained so that the operation of controls may be tested in the SOC 1 or SOC 2 engagement.
High Level “Quick Hit” Readiness Engagements are accomplished through interviews and reviews of any existing policies and procedures. We consider the design of controls only, with the deliverable focusing on the objectives or criteria where remediation is necessary.
Detailed Readiness Engagements consider both the design and implementation of controls. Our professionals will consider the design of controls in place, and then perform walkthroughs of those key controls to determine whether they have been implemented as designed.
Who benefits from SOC Readiness Engagements?
- Organizations contemplating their first SOC 1 or SOC 2 engagement
- Organizations transitioning from one SOC report to another (i.e., SOC 1 to SOC 2)
Related Articles View All Thought Leadership
By: Tom Skoog, Cybersecurity & Data Management Practice Leader “Those who fail to learn from history are doomed to repeat it.” Sir Winston Churchill This is our fifth and final article in our five-part series on the importance of incident response planning as part of your cybersecurity program. As a reminder, the concept of Incident […]
By: Tom Skoog, Cybersecurity & Data Management Practice Leader Cybersecurity for the construction industry is a growing challenge. The industry is moving towards digital connectivity, not only across the supply chain, but also ‘on site’ as more metrics related to performance, progress, and health & safety are monitored in ‘real time.’ This increase in connectivity […]
By: Tom Skoog, Cybersecurity & Data Management Practice Leader This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity […]
Connect with our team.
To learn more about our services and areas of expertise, send us a message.