CTBK performs System and Organization Controls (SOC) Reports for organizations of various sizes and in a number of industries. We are experts at delivering SOC audits that meet the highest levels of user scrutiny that will satisfy all service organization, user organization, and user auditor requirements. Whether your reporting requirements are basic or complex, our SOC team at CTBK can assist you with your needs.
System and Organization Controls (SOC) reporting options include SOC 1, SOC 2 and SOC 3, as described below.
SOC 1 reports meet the needs of user entities' management and auditors as they evaluate the effect of a service organization's controls on a user entity's financial statement assertions. These reports are important components of user entities' evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.
- Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting
- Scope: Controls related to the accuracy of financial data and information technology general controls
- Audience: User organization's financial executives, compliance officers and financial statement auditors. Customers are typically concerned with the impact your services will have on their financial statements.
SOC 2 reports meets the needs of a broad range of users to address other types of third-party risks outside of financial statement reporting, including assurance over the critical systems and sensitive data used to provide outsourced services. SOC 2 reports can cover between one and five of the Trust Services Principles. The standard Trust Service Principles include (1) Security, (2) Availability, (3) Processing Integrity, (4) Confidentiality, and (5) Privacy. All SOC 2 reports are required to cover Security.
- Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected Trust Services Principles
- Scope: Governance, operational and information technology general controls that address one or more of the Trust Services Principles categories (security, confidentiality, availability, processing integrity and privacy)
- Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners. Customers are typically concerned with the security and confidentiality of their data or the availability and integrity of the systems you provide.
The SOC 3 report is similar to the SOC 2 report. However, a SOC 3 report does not require a detailed description of the controls of the service organization, and the distribution of the report is not restricted to specified users. The SOC 3 report simply reports on whether the service organization achieved one or more of the Trust Services Principles and criteria. Anyone who would like confirmation of the controls of the service organization can view the SOC 3 report. SOC 3 reports are typically generally use, which can be freely distributed.
A SOC 3 report is considered valuable for a service organization if the organization decides it does not want to reveal the details of its controls or when a user organization requests a SysTrust for Service Organizations seal. The SysTrust seal is a symbol that can be displayed on a service organization's website after the completion of a SOC 3 report.
- Purpose: Same purpose as SOC 2 report
- Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
- Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization
Type 1 vs. Type 2 Reports
Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key difference is:
- Type 1 addresses the design of controls, as of a point in time.
- Type 2 addresses both the design and operating effectiveness of controls, over a period of time
Type 1 reports provide less assurance to the intended audience of the report and are less common.
Performing a SOC Engagement
If you've never had a SOC examination performed, we will work with you to determine which report is most applicable to the needs of your organization and your clients/customers.
After the appropriate type and scope of the examination is determined, we typically perform a readiness assessment before your first SOC examination. The readiness assessment is a one-time review to identify your control activities satisfying each of the objectives or criteria. The deliverable provides recommendations on potential gaps in control activities and/or documentation.
After the readiness assessment is performed, we allow you time to remediate controls or improve deficiencies before we begin our examination period.
We will work with management to schedule the most convenient timing for our onsite fieldwork and testing. Testing typically consists of:
- Touring the facility
- Making inquiries of personnel to verify polices and procedures are understood and being followed
- Observing employees and controls in process
- Performing tests to determine if control are operating effectively
Throughout the engagement, we will use secure portals to share information and ensure confidentiality.
Upon completion of our engagement, we not only issue an independent service auditors' report on the Company's controls, we will also provide suggestions to enhance controls and operating efficiencies noted during our audit procedures.
If you are interested in more information related to SOC reports or wish to speak with someone on our CTBK SOC team, please call Eric Colca (716-630-2437) or David Grek (716-630-2435).