Organizations across the board, including publicly traded companies, private companies and not-for-profits may require verification that the third-party data security experts who work on their financial statements operate under a strong set of internal controls. These verifications come in the form of various levels of System and Organization Controls (SOC) reports. The reports assure your clients and prospective clients that your internal controls are secure. Examples of service companies that may require such reports include data center companies, loan servicing companies, medical claims processors and payroll processors.
OUR SERVICES
SOC Examinations & Attestations
-
SOC 1
SOC 1 reports, also known as the Statement on Standards for Attestation Engagements (SSAE) 18, focus on your organization’s business processes and IT controls. There are two types of SOC reports: Type 1 reports test the design of your organization’s controls as of a certain date. Type 2 reports test whether your controls are properly designed, in place and documented as well as an opinion on operating effectiveness over a set time period (usually 12 months).
-
SOC 2
These reports concentrate on five Trust Services Principles: security, availability, processing integrity, confidentiality and privacy. SOC 2’s requirements allow data providers to decide how they want to meet the criteria. This flexibility means SOC 2 reports are unique to each company, and makes the choice of auditor particularly important. You need to choose an audit team with a deep understanding of SOC controls and best practices. SOC 2 reports may be shared under an NDA with the organization’s management, regulators or select other parties.
-
SOC 3
Similar to SOC 2 reports in that they examine the same five Trust Services Principles, the results of the audit are publicly available.
SOC Readiness Assessments
These assessments provide an overview of your organization’s preparedness for a successful SOC 1, 2, 3 or Cybersecurity audit. At the end of the assessment, our experts will let you know what control gaps or observations identified need to be addressed and remediated in order for your SOC audit to be successful.
What are the SOC 2 Trusted Services Criteria?
For SOC 2, there are five Trusted Services Criteria that can be evaluated. Out of the five, only Security is required in order to be issued a SOC 2 report.
- Security — Information and systems are protected against unauthorized access and unauthorized disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.
- Availability — Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.
- Confidentiality —The organization should protect information designated as confidential (i.e. any sensitive information).
- Processing Integrity — System processing (particularly of customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Privacy — Personal information is collected, used, retained, disclosed, and disposed of in accordance with relevant regulations and policies.
