System and Organization Control (SOC) Reporting Services
Tracking the Controls You Provide to Your Clients
With more and more companies outsourcing their financially significant and information technology services to third parties, it has become critical for user organizations to understand each service entity and its internal controls. The American Institute of Certified Public Accountants (AICPA) has replaced the traditional SAS 70 and more recent SSAE16, as well as Webtrust and Systrust reports/seals and more recent AT101, with a new set of standards: the Statement on Standards for Attestation Engagements No. 18:
Known once as a SAS70 and more recently referred to as “SSAE 16,”, a service provider can now be audited against one or more of the following Service Organization Control (SOC) standards: SOC 1 This SOC report covers controls at a service organization that may be relevant to user entities’ internal control over financial reporting.
Two types of SOC 1 reports exist as follows:
Type I – a report on management’s description of a service organization’s system and the suitability of the design of controls.
Type II – a report on management’s description of a service organization’s system and the suitability of the design and effectiveness of controls.
SOC 2 and SOC 2+
This SOC report replaces prior Systrust and Webtrust reviews. The purpose is to evaluate an organization’s information technology controls relevant to any single, or combination, of the following five trust principles and their corresponding criteria issued by the AICPA: Security Availability Confidentiality Processing Integrity Privacy. In addition, we are able to incorporate other frameworks (SOC 2+) into our audit reports including NIST, HITRUST, and ISO. A SOC 2 report is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC 1, service organizations can choose to undergo a Type I or Type II audit.
Like the SOC 2, this SOC report is based on the five trust principles and their corresponding criteria issued by the AICPA. However, the report is does not detail any testing as it is intended for marketing purposes. A SOC 3 is the only of the three reports that is for general use and can be posted on a website.
SOC for Cybersecurity
This report is designed to assist organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.
As a service provider, receiving these audits from an independent CPA firm reduces the frustrations caused by multiple requests and frees up valuable time for your internal resources. So, which of these audits is the right one for you?
Cherry Bekaert deploys an experienced team of CPAs, Certified Information Systems Auditors (CISA) and Certified Information Technology Professionals (CITP) in conducting SOC 1, SOC 2 and SOC 3 audits for service organizations across a wide span of industries. Whether you are embarking on your first SOC report and are interested in a Readiness Assessment followed by a SOC audit or have received SAS 70s and subsequent SSAE16 audit reports for years, our professionals can help.