Best Practice Expertise That Provides A Competitive Edge
As a service provider seeking to differentiate yourself from your competitors, you understand the importance of demonstrating the establishment and effective operation of internal controls on the services you provide your customers. Service Organization Control (SOC) reports convey confidence, trust, and credibility of the internal controls of your business to your customers and their auditors. The end results of this level of transparency – delivering comfort to your clients by providing them information showcasing your commitment to reduce risks as well as an opinion from an independent third party provider on the process most important to your customers.
SC&H Group is a trusted business advisor to provide guidance as to which type of SOC report(s) your prospects, customers, and their auditors need. Our approach goes beyond an implementation checklist, but entails a strategic, well thought out plan of execution to position your business for success amongst your competition. As your business advisor, SOC engagements provide results that are helpful in managing your business and internal control processes; all the while streamlining your operations.
SC&H has significant audit expertise with SOC reporting frameworks. The SC&H audit team can address compliance mandates for reporting on controls at service organizations:
- Data center business and backup services
- Financial service providers
- Internet network and security services
- Software-as-a-Service (SaaS) providers
- Third-party resellers using direct or other online services
Whether conducting the audit or working as a consulting team with other auditors, our SOC audit practice experts works closely with a company’s business process owners, providing best practices assurance for thorough and timely reporting.
SOC 1 Report (SSAE18)
This report addresses the critical controls that exist within a service organization that are relevant to the financial reporting or statements of their clients. These engagements are performed in accordance with Statement on Standards for Attestation Engagement (SSAE) 18, Reporting on Controls at a Service Organization.
SOC 2 Report
A generally restricted-use report on controls at a service organization relevant to Trust Services Principles and predefined criteria. Trust Service categories evaluated include:
- Security—is the system protected against unauthorized access (physical and logical)?
- Availability—is the system available for operation and use as committed or agreed?
- Processing Integrity—is system processing complete, accurate, timely, and authorized?
- Confidentiality—is confidential information protected as committed and agreed?
- Privacy—is personal information collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants?
Similar to a SOC 1 Examination, a SOC 2 Examination is a report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the relevant Trust Services Principles and Criteria included in the description as of a specified date (Type 1) or throughout a specified period (Type 2).
SOC 3 Report
This report uses the same principles and criteria as a SOC 2 report however this is a general-use trust services report for service organizations that provides only the practitioner’s opinion on whether the system achieved the trust services criteria (it does not include a detailed description of tests and results or opinion on the description of the system like in a SOC 2 report). SOC 3 reports can be issued on one or multiple trust services principles (security, availability, processing integrity, confidentiality, and privacy).
SOC for Cyber Report
This report provides an opinion on an entity’s cyber security risk management program. It provides all stakeholders in an entity with additional comfort that the organization is prepared to meet the ongoing cyber risks they face on a daily basis. The engagement is flexible in choosing which cybersecurity framework the entity will be audited against.