Systems and Organization Controls (SOC) Audits
We work with service providers across many industries to provide third-party attestation and Systems and Organization Controls (SOC) reporting.
About SOC Audits
SOC audits and resulting reports verify that a company’s or organization’s internal controls and IT environment are robust and employ best practices to protect data. These reports provide transparency and address the reliability of outsourced service providers and their processes. Companies and organizations find that having a SOC report can be a sales and marketing advantage, as it provides assurance to potential clients, current clients, business partners, and other third parties.
SOC reports give companies and organizations an efficient, single resource for sharing information with various parties. The alternative is to answer questions about internal controls, the IT environment, etc. with each party whenever they inquire. Obviously, this can become cumbersome and inefficient over time.
Finally, SOC audits must be performed by a CPA firm, and are generally done every year. Reports are good for one year from the date of the report. After a company has its report, it can also use a special “Service Organization Controls Report” logo provided by the AICPA on its materials.
For more information about SOC reports, we recommend visiting the AICPA’s website on SOC.
Seiler’s SOC Audit Services
Our SOC audit practice is a part of our Audit and Assurance Services group. We provide:
- SOC Readiness Assessments. If your company or organization hasn’t gone through a SOC audit before, we strongly recommend working with us on a one-time readiness assessment.
- SOC 1SM. This customer-only report covers Internal Controls over Financial Reporting (ICFR), including business and IT controls, and are focused on outsourced service providers that impact ICFR. These reports are restricted (not public). SOC 1SM certification is good for one year.
- SOC 2SM. This report specifically covers IT internal controls focused on Security, as well as Confidentiality, Availability, Processing Integrity and/or Privacy Trust principles. These reports are restricted (not public), and usually only shared with clients and external parties under confidentiality agreements. SOC 2SM certification is good for one year.
- SOC 3SM. This is a condensed form of a SOC 2SM report, and is intended to be shared publicly.
- SOC for Cybersecurity. This is a new type of SOC report, and this audit is only starting to be performed in 2018. This report focuses the effectiveness of a company’s or organization’s cybersecurity risk management. Because these reports use commonly accepted methodologies and a common structure, the SOC for Cybersecurity report will also allow “apples to apples” comparisons.