System and Organization Controls

Your clients trust you to handle their data, and you don’t want to let them down. You want to assure their data is protected, and the information you provide them is accurate and complete. We can help you make this happen by providing a system and organization control (SOC) report, which can build trust by demonstrating your commitment to security and controls.

A SOC report is an independent examination of your internal controls that helps assess and address risks. These reports can only be conducted by independent certified public accounting firms. By following guidelines established by the AICPA, SOC reports can provide confidence in your internal controls and help develop best practices.

SOC 1 Reports

A SOC 1 report is specifically designed to provide management of the service organization, user entities and their independent auditors (user auditors) with information about the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

SOC 2 Reports

A SOC 2 report is specifically designed to meet the needs of a broad range of users, including management of the service organization, user entities and other parties. It provides information about the internal controls at the service organization relevant to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (as established by TSP 100).

SOC 3 Reports

A SOC 3 report provides a service auditor’s opinion about the controls at the service organization relevant to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy to any interested parties. While a SOC 2 report and SOC 3 report contain similar information related to the service auditor’s tests of controls and results of those tests, a SOC 2 report contains more detailed information and its distribution is restricted to a specific user audience. The SOC 3 report, which is much shorter and less detailed, is intended for a general (public) audience.

SOC for Cybersecurity

SOC for cybersecurity is a reporting framework to help organizations effectively communicate with key stakeholders on their cybersecurity risk management program and the effectiveness of controls within that program. The report issued for SOC for cybersecurity is an examination engagement performed by independent CPAs (practitioners) on an entity’s cybersecurity risk management program. 

SOC for Supply Chain

Suppliers, customers and business partners may expect entity management to establish operational and compliance objectives about the design, operation and effectiveness of controls within the system and may request an attestation report from the entity. Such a report is the result of an attestation engagement in which a practitioner (CPA) examines and opines on (a) whether the description of the entity’s system that produces, manufactures or distributes products (the description of the system or description) presents the system that was designed and implemented in accordance with the description criteria and (b) whether the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective throughout the period, based on the applicable trust services criteria.

Type 1 and Type 2 SOC Reports

The AICPA has established two types of SOC reports:

• Type 1: Provides assurance that a service organization’s controls were specifically designed and placed in operation at a point of time.
• Type 2: Provides assurance that a service organization’s controls were specifically designed and were operating effectively over a given period of time.

SOC Readiness Assessment

A SOC Readiness Assessment measures your preparedness for a SOC examination and can help you avoid costly mistakes.

The guidance and standards for a SOC report are not a checklist of requirements or a set of minimum standards. It takes a professional with extensive experience in identifying and evaluating internal controls for a report to be performed properly. Without the right preparation and experience, you could devote a lot of time and resources and still fall short of customer expectations or industry control standards. A SOC Readiness Assessment can help ensure that does not happen. We will provide a SOC Readiness Assessment that will document the gaps in our internal controls and get you ready for a full SOC report.