boulaygroup.com

SOC Reporting

Ask a question

SOC Reporting for Assurance, Transparency and Trust

As companies increase their awareness of the risks posed in service delivery, Boulay is your partner to ensure your business meets the System and Organization Controls (SOC) reporting and compliance standards necessary to compete for and retain customers asking for SOC assurance. Beyond assurance, SOC reporting helps you build trust and transparency with stakeholders and proactively identify, manage and mitigate risks.

SOC reports are assessments of your company’s internal controls, performed by an independent CPA firm. Partnering with the right CPA firm for SOC reporting helps you meet auditor and regulatory requirements and build credibility for current and prospective customers. Boulay is here to help you get there with three types of SOC reporting engagements.

SOC 1

SOC 1 reports evaluate your organization’s internal control over financial reporting (ICFR). Distribution of the SOC 1 report is limited to management of your service organization, customer (user) entities and user auditors. SOC 1 reports are typically required for service organizations whose operations may impact the financial statements of their user entities, such as:

        • Payroll
        • Insurance and claims processors
        • Financial services and payment processors
        • Loan-servicing companies

There are two types of SOC 1 reports:

        • SOC 1 Type 1 reports assess the procedures and ICFR the organization has put into place as of a point in time.
        • SOC 1 Type 2 reports evaluate the procedures and ICFR the organization has put into place, as well as the operating effectiveness of these controls, over a given period of time.

SOC 2

SOC 2 reports evaluate your organization’s internal controls relevant to trust services criteria (security, availability, processing integrity, confidentiality and privacy). The audience for SOC 2 reports is restricted to management, user entities, regulators and other specified parties. SOC 2 reports are most commonly required for service organizations who store or process client information, including:

        • Software-as-a-Service (SaaS) organizations
        • Cloud data storage providers
        • Marketing agencies
        • IT services
        • Companies that need a SOC 1 report

Similar to SOC 1, SOC 2 reports are divided into two categories:

        • SOC 2 Type 1 reports evaluate the trust services criteria procedures and controls the organization has put into place as of a point in time.
        • SOC 2 Type 2 reports assess the trust services criteria procedures and controls the organization has put into place, as well as the operating effectiveness of these controls, over a given period of time.

SOC 3

SOC 3 reports are similar to SOC 2 reports in that both evaluate trust services criteria controls and the effectiveness of these controls. However, SOC 3 reports are much less detailed, providing a shorter overview for a more general (public) audience.

How we Help You Get There

Each type of SOC report addresses specific needs, and Boulay’s Risk Advisory team is here to help you determine which level of SOC reporting is right for the needs of your business. Let our team help you build trust, tackle your assurance challenges and manage risks – contact us today.

Request a Meeting
SOC Reporting Insights

brochures

Download Our Accounting and Auditing Brochure

Risk Advisory Team

Jeffrey Filler

Partner

Landon Adolphson

Senior Manager

Robert Chandler

Supervisor

Tristan Moore

Associate

Contact our Risk Advisory Team

Let our team provide expert guidance and solutions to assist with your technology risks.

Contact Us

SOC Reporting FAQs

SOC (System and Organization Controls) is frequently divided into 3 report types called SOC 1, SOC 2, and SOC 3. SOC 2 is an auditing procedure that ensures service providers provide management over outside data by evaluating data based on five “trust service criteria”- security, availability, processing integrity, confidentiality and privacy.

The Trust Service Criteria (TSC) is the control criteria used for assessment and reporting of controls for systems and information. They are as follows:

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

No. SOC2 and SSAE 16 are different. SSAE 16 was the attestation standard for SOC1 and AT101 was the attestation standard for SOC2. SSAE18 was implemented in 2018 and is now that Attestation Standard for both SOC1 and SOC2.

SOC 2 is not a requirement for SaaS and cloud computing vendors, but prospective partner organizations could ask for the report at a minimum before conducting business. This is particularly true of enterprise-level prospects, along with those in a regulated industry like Financial Services. As vendor management requirements become increasingly complex, SOC 2 may be necessary to remain competitive in the market.

Because of the sensitive data within them, SOC 2 reports are not designed for general public. SOC2 reports should only be provided to clients who utilize the in-scope system and have signed appropriate non-disclosure agreements. SOC 3 reports are designed for public consumption.

A SOC 2 audit must be conducted by a third-party, independent Certified Public Accounting firm (CPA). It is recommended utilizing a firm with a strong technical background experience in the areas of both IT audits, financial audits, and SOC exams to ensure the process is done correctly.

Most SOC 2 reports cover a 12-month period. Some organizations, particularly those serving many corporate clients or that have ongoing concerns regarding their controls, may choose to perform this audit every 6 months.

A SOC 2 Type 1 is attestation of controls at a service organization at a specific point in time that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented. For example, during a Type I the auditor will examine the disaster recovery policy and the backup job configuration to verify it matches the policy. A single backup job completion may also be examined.

A SOC2 Type 2 is attestation of controls at a service organization over a minimum six-month period that reports on the description of controls provided by management of the service organization attesting that controls are correctly designed and implemented as well as attests the operating effectiveness of those controls. Going back to the previous example, the auditor will examine the policy, backup job configuration and will then inspect job completions for a sample of days throughout the period.

Occurring before an official SOC 2 audit, readiness testing is a test-case for the official report which hopes to narrow the scope of the audit, clarify remediation strategies, and shore-up the control environment prior to a full assessment.

Latest Insights

View more insights