SOC Reporting for Assurance, Transparency and Trust
As companies increase their awareness of the risks posed in service delivery, Boulay is your partner to ensure your business meets the System and Organization Controls (SOC) reporting and compliance standards necessary to compete for and retain customers asking for SOC assurance. Beyond assurance, SOC reporting helps you build trust and transparency with stakeholders and proactively identify, manage and mitigate risks.
SOC reports are assessments of your company’s internal controls, performed by an independent CPA firm. Partnering with the right CPA firm for SOC reporting helps you meet auditor and regulatory requirements and build credibility for current and prospective customers. Boulay is here to help you get there with three types of SOC reporting engagements.
SOC 1
SOC 1 reports evaluate your organization’s internal control over financial reporting (ICFR). Distribution of the SOC 1 report is limited to management of your service organization, customer (user) entities and user auditors. SOC 1 reports are typically required for service organizations whose operations may impact the financial statements of their user entities, such as:
- Payroll
- Insurance and claims processors
- Financial services and payment processors
- Loan-servicing companies
There are two types of SOC 1 reports:
- SOC 1 Type 1 reports assess the procedures and ICFR the organization has put into place as of a point in time.
- SOC 1 Type 2 reports evaluate the procedures and ICFR the organization has put into place, as well as the operating effectiveness of these controls, over a given period of time.
SOC 2
SOC 2 reports evaluate your organization’s internal controls relevant to trust services criteria (security, availability, processing integrity, confidentiality and privacy). The audience for SOC 2 reports is restricted to management, user entities, regulators and other specified parties. SOC 2 reports are most commonly required for service organizations who store or process client information, including:
- Software-as-a-Service (SaaS) organizations
- Cloud data storage providers
- Marketing agencies
- IT services
- Companies that need a SOC 1 report
Similar to SOC 1, SOC 2 reports are divided into two categories:
- SOC 2 Type 1 reports evaluate the trust services criteria procedures and controls the organization has put into place as of a point in time.
- SOC 2 Type 2 reports assess the trust services criteria procedures and controls the organization has put into place, as well as the operating effectiveness of these controls, over a given period of time.
SOC 3
SOC 3 reports are similar to SOC 2 reports in that both evaluate trust services criteria controls and the effectiveness of these controls. However, SOC 3 reports are much less detailed, providing a shorter overview for a more general (public) audience.
How we Help You Get There
Each type of SOC report addresses specific needs, and Boulay’s Risk Advisory team is here to help you determine which level of SOC reporting is right for the needs of your business. Let our team help you build trust, tackle your assurance challenges and manage risks – contact us today.
Risk Advisory Team
Contact our Risk Advisory Team
Let our team provide expert guidance and solutions to assist with your technology risks.
SOC Reporting FAQs
SOC (System and Organization Controls) is frequently divided into 3 report types called SOC 1, SOC 2, and SOC 3. SOC 2 is an auditing procedure that ensures service providers provide management over outside data by evaluating data based on five “trust service criteria”- security, availability, processing integrity, confidentiality and privacy.
The Trust Service Criteria (TSC) is the control criteria used for assessment and reporting of controls for systems and information. They are as follows:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
No. SOC2 and SSAE 16 are different. SSAE 16 was the attestation standard for SOC1 and AT101 was the attestation standard for SOC2. SSAE18 was implemented in 2018 and is now that Attestation Standard for both SOC1 and SOC2.
SOC 2 is not a requirement for SaaS and cloud computing vendors, but prospective partner organizations could ask for the report at a minimum before conducting business. This is particularly true of enterprise-level prospects, along with those in a regulated industry like Financial Services. As vendor management requirements become increasingly complex, SOC 2 may be necessary to remain competitive in the market.
Because of the sensitive data within them, SOC 2 reports are not designed for general public. SOC2 reports should only be provided to clients who utilize the in-scope system and have signed appropriate non-disclosure agreements. SOC 3 reports are designed for public consumption.
A SOC 2 audit must be conducted by a third-party, independent Certified Public Accounting firm (CPA). It is recommended utilizing a firm with a strong technical background experience in the areas of both IT audits, financial audits, and SOC exams to ensure the process is done correctly.
Most SOC 2 reports cover a 12-month period. Some organizations, particularly those serving many corporate clients or that have ongoing concerns regarding their controls, may choose to perform this audit every 6 months.
A SOC 2 Type 1 is attestation of controls at a service organization at a specific point in time that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented. For example, during a Type I the auditor will examine the disaster recovery policy and the backup job configuration to verify it matches the policy. A single backup job completion may also be examined.
A SOC2 Type 2 is attestation of controls at a service organization over a minimum six-month period that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented as well as attests the operating effectiveness of those controls. Going back to the previous example, the auditor will examine the policy, backup job configuration and will then inspect job completions for a sample of days throughout the period.
Occurring before an official SOC 2 audit, readiness testing is a test-case for the official report which hopes to narrow the scope of the audit, clarify remediation strategies, and shore-up the control environment prior to a full assessment.
Latest Insights
Security Spotlight: Endpoint Detection and Response
In our increasingly digital world, organizations face new and persistent threats to cybersecurity. Endpoint Detection …
First Quarter 2024 Market Perspective
There was much discussion in the first quarter about when the Federal Reserve (the Fed) …
The Power of Integration: Making Smarter Financial, Tax & Estate Planning Decisions
In an ever-changing economic landscape, navigating the intricacies of financial, tax, and estate planning can …
Remembering Don Zibell
It is with a heavy heart that we share the news of former Boulay Partner Don …