SOC AUDIT

SOC audits and resulting reports verify that a company’s or organization’s internal controls and IT environment are robust and employ best practices to protect data. These reports provide transparency and address the reliability of outsourced service providers and their processes. Companies and organizations find that having a SOC report can be a sales and marketing advantage, as it provides assurance to potential clients, current clients, business partners, and other third parties.

SOC reports give companies and organizations an efficient, single resource for sharing information with various parties. The alternative is to answer questions about internal controls, the IT environment, etc. with each party whenever they inquire. Obviously, this can become cumbersome and inefficient over time.

Finally, SOC audits must be performed by a CPA firm, and are generally done every year. Reports are good for one year from the date of the report. After a company has its report, it can also use a special “Service Organization Controls Report” logo provided by the AICPA on its materials.

For more information about SOC reports, we recommend visiting the AICPA’s website on SOC.

Our SOC audit practice is a part of our Audit and Assurance Services group. We provide:

• SOC Readiness Assessments. If your company or organization hasn’t gone through a SOC audit before, we strongly recommend working with us on a one-time readiness assessment.
• SOC 1^SM. This customer-only report covers Internal Controls over Financial Reporting (ICFR), including business and IT controls, and are focused on outsourced service providers that impact ICFR. These reports are restricted (not public). SOC 1^SM certification is good for one year.
• SOC 2^SM. This report specifically covers IT internal controls focused on Security, as well as Confidentiality, Availability, Processing Integrity and/or Privacy Trust principles. These reports are restricted (not public), and usually only shared with clients and external parties under confidentiality agreements. SOC 2^SM certification is good for one year.
• SOC 3^SM. This is a condensed form of a SOC 2^SM report, and is intended to be shared publicly.
• SOC for Cybersecurity. This is a new type of SOC report, and this audit is only starting to be performed in 2018. This report focuses the effectiveness of a company’s or organization’s cybersecurity risk management. Because these reports use commonly accepted methodologies and a common structure, the SOC for Cybersecurity report will also allow “apples to apples” comparisons.