Readiness Assessment & Gap Analysis
SOC audits, often mis-labeled as a certification, are in fact an attestation audit that includes a CPA signature on the opinion. Therefore, adequately preparing for your first SOC audit is imperative, and right-sizing the scope for the subsequent audits should be paramount. Engaging under the AICPAs Consulting Standards, our professionals are able to help guide your organization and assist in helping you prepare and complete the necessary steps and documentation required for a SOC audit.
SOC 1 Report
Once known as a SAS 70 or SSAE 16 and more recently referred to as SSAE 18, a SOC 1 report covers controls at a service organization that may be relevant to user entities’ internal control over financial reporting.
Two types of SOC 1 reports exist as follows:
- Type I – A report on management’s description of a service organization’s system and the suitability of the design of controls.
- Type II – A report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
SOC 2 and SOC 2+ Report
This SOC 2 report replaces prior Systrust and Webtrust reviews. The purpose is to evaluate an organization’s information technology controls relevant to any single, or combination, of the following five trust principles and their corresponding criteria issued by the AICPA:
- Security (required)
- Availability
- Confidentiality
- Processing Integrity
- Privacy
In addition, using SOC 2+, we are able to incorporate other frameworks into our audit reports such as NIST 800-53 or 171, ISO 27001, HITRUST (HIPAA Compliance), Payment Card Industry (PCI), Cloud Security Alliance (CSA) and the Cybersecurity Maturity Model Certification (CMMC).
A SOC 2 report is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.
SOC 3 Report
Similar to the SOC 2, this SOC report is based on the five trust principles and their corresponding criteria issued by the AICPA. However, the report does not detail any testing as it is intended for marketing purposes. A SOC 3 is the only of the three reports that is for general use and can be posted on your company website.
SOC for Cybersecurity Report
This report is designed to assist organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs to key stakeholders. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.
SOC for Supply Chain Report
Intended primarily for organizations that produce, manufacture, or distribute products, the SOC for Supply Chain helps organizations build stakeholder trust by providing assurance over key aspects of operational processes and related controls. Similar to SOC 1, your service organizations can choose to undergo a Type I or Type II audit.