SOC Reports

SOC 1 Examinations are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities in evaluating the effect of the controls at the service organization on the user entities’ financial statements. We work with the service organization to produce the report its customers are requesting.

Service organizations that would typically receive a SOC 1 report consist of third-party service providers, insurance companies, payroll and benefits processors as well as trust departments. Broadly, any service organization that provides services to customers that directly impact the customer’s financial statements would be a candidate for such a report. Service organizations should evaluate their needs along with their customers’ reporting needs before determining the type of SOC report that applies to their needs.

SOC 2 and SOC 3 examinations are used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to the security, availability and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AIPCA has set forth specific trust services criteria within each trust services principle which the service organization’s controls must meet to satisfy the principle.

A SOC 3 report is similar to a SOC 2 examination, with the primary difference being that SOC 2 reports are restricted use reports and SOC 3 are general use reports. SOC 3 reports can be freely distributed by the service organization and the organization can post a SOC 3 seal on their website indicating the SOC 3 report has been completed.

Service organizations that would typically receive a SOC 2 or SOC 3 report consist of datacenters, software development companies, cloud computing companies, IT service providers, and data and application hosting companies.

In April 2017, the American Institute of Certified Public Accountants (AICPA) introduced a new examination entitled System and Organization Controls (SOC) for Cybersecurity which builds on the AICPA standards already in place over SOC examinations. The existing SOC1, SOC2, and SOC3 frameworks were directly focused on organizations providing direct or indirect services to other organizations as service providers.

SOC for Cybersecurity, however, is appropriate for virtually any type of business or nonprofit organization and is performed by the AICPA’s Cybersecurity risk management program attestation standards. It focuses on communicating information regarding the design and operating effectiveness of an organization’s cybersecurity risk management program to the organization’s management, board, and other stakeholders, allowing them to understand the processes, policies, and controls that the organization has in place to mitigate and prevent cybersecurity attacks on their information as well as determine potential gaps that are not addressed by processes, policies, or controls currently in place within the organization.