SOC Reporting
SOC audits are an attestation engagement that involves a CPA expressing an opinion. SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.
Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs. Understanding the differences between the reports is essential to determining which report is best suited to meet organizational objectives.
SOC 1
Once known as a SAS 70 or SSAE 16 and more recently referred to as SSAE 18, a SOC 1 report covers controls at a service organization that may be relevant to user entities’ internal control over financial reporting.
​
Type I – A report on management’s description of a service organization’s system and the suitability of the design of controls.
​
Type II – A report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
SOC 2 and SOC 2+
The purpose is to evaluate an organization’s information technology controls relevant to any single, or combination, of the following five trust principles and their corresponding criteria issued by the AICPA:
1. Security (required)
2. Availability
3. Confidentiality
4. Processing Integrity
5. Privacy
Using SOC 2+, we are able to incorporate other frameworks into our audit reports such as NIST 800-53 or 171, ISO 27001, HITRUST (HIPAA Compliance), Payment Card Industry (PCI), and Cloud Security Alliance (CSA).
A SOC 2 report is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.
SOC 3
Similar to the SOC 2, this SOC report is based on the five trust principles and their corresponding criteria issued by the AICPA. However, the report does not detail any testing as it is intended for marketing purposes. A SOC 3 is the only of the three reports that is for general use and can be posted on your company website.
SOC 2 and SOC 3 audit report examinations differ in the reporting. They vary in use of the report and level of detail contained in the description. The driving force behind the differences between the two reports begins with the intended distribution of the report. A SOC 2 report is a restricted use report that is solely intended for the user entities, management of the service organization, and other specified parties.
However, a SOC 3 report is a general use report that is freely distributed to the public and is intended for users that are only interested in a broad overview of the service organizations and the service being provided. In general, a SOC 3 audit report is generally used by service organizations for marketing purposes, while a SOC 2 report is better suited for a service organization to provide their user entities that seek details as to how the service organization is performing in maintaining controls to protect their interests.
SOC Cybersecurity
The SOC for Cybersecurity examination provides an independent, entity-wide assessment an organization’s cybersecurity risk management program. These reports add value to any organization by reducing uncertainty and building resilient organizations by evaluating effectiveness of existing cybersecurity processes and controls.
Our services include a general use report on whether the description of an entity’s cybersecurity risk management program is presented in accordance with description criteria and whether controls were effective in achieving the entity’s cybersecurity objectives.
This report is designed to assist organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs to key stakeholders. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.
SOC Supply Chain
Our team can examine and report on such information, thereby increasing the confidence that customers and business partners can place in the information.
The report provides useful information about the system and its controls to help users better understand the associated risks and make better decisions.
Intended primarily for organizations that produce, manufacture, or distribute products, the SOC for Supply Chain helps organizations build stakeholder trust by providing assurance over key aspects of operational processes and related controls. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.
Why work with us?
Our team of professionals are dedicated to understanding your organization's risks and objectives, and providing direct access to the resources necessary to optimize risk and gain insight through reporting. Let's get started.