What is SOC Reporting?
System and Organization Controls (SOC) Reporting is a comprehensive framework put forth by the American Institute of Certified Public Accountants (AICPA) geared towards reporting on controls at service organizations and for cybersecurity. The SOC framework was developed to bring about much needed transparency and consistency in reporting on systems and controls and assessing risk.
Does Your Organization Need a SOC Report?
If you provide outsourced services, your customers may ask for one or more annual SOC reports as part of their due diligence while selecting a vendor. You may also receive requests from external auditors or other business partners who require certain SOC reports for audits, oversight, risk management, corporate governance or regulatory purposes. Having these reports prepared annually decreases risk exposure, creates efficiency, and is a competitive advantage. Our team can help you meet customer demands and provide assurance to your customers, auditors, and other stakeholders through SOC reporting.
Which SOC Report is Right for You?
SOC 1 Reports
SOC 1 reports are performed under the most recent AICPA Attestation Standards (SSAE) for the purpose of complying with laws and regulations such as the Sarbanes-Oxley Act. The SOC 1 Report describes systems and tests of control activities relevant to Internal Control over Financial Reporting (ICFR). Use of these reports may be restricted to use by your customers (user entities) and CPAs who audit the financial statements of user entities for the purpose of evaluating the effects of controls at the service organization on ICFR at the user entity. Examples of organizations who may use this type of SOC report include:
- Third-Party Administrators (TPAs)
- Payroll Service Providers
- Other service organizations that process or store financial data
SOC 2 Reports
SOC 2 reports are performed under the most recent AICPA Attestation Standards (SSAE), and describes systems and tests of control activities relevant to internal controls over financial reporting. The SOC 2 report reports on one or more of the five Trust Service Principles: Security (required), Availability, Processing, Integrity, and Confidentiality/Privacy. Additionally, companies can report on HIPAA Framework and/or Cybersecurity framework. Use of these reports may be restricted to use by your customers (user entities) and other stake holders for vendor management, corporate governance, and risk management, or regulatory oversight. Examples of organizations who may use this type of SOC report include:
- Cloud computing
- Software as a Service (SaaS)
- Software Development Organizations
- Data / Call Centers
- Web Hosting / Managed Services Providers
SOC 3 Reports
SOC 3 Reports are performed under AICPA Attestation Standards and are intended for large, publicly traded companies. The report use is unrestricted. Reports on all five of the Trust Services principles. Contact us to learn more.
What is the Difference Between a Type 1 and a Type 2 SOC Report?
SOC 1 and SOC 2 reports can be either Type 1 or Type 2 reports.
- Type 1 SOC Report - Evaluates and reports on the design and testing of controls put into operation as of a certain date.
- Type 2 SOC Report - Evaluates and reports on the design and testing of controls over a period of time - typically 12 months, but no less than six months.
For more details on Our SOC Reporting services, fill out the below form or contact MaryPat Davitz, CPA, CITP.
Learn more about SOC Reporting