What are SOC engagements?
Service organizations like yours receive requests from customers for assurance on a number of fronts, including assurance about your systems’ controls over financial reporting (SOC 1 engagements) and also the controls you employ to protect the privacy and confidentiality of users’ data, as well as the security, availability and processing integrity of your systems (SOC 2 and SOC 3 engagements).
Recently introduced is also a SOC for Cybersecurity to help address the ever-increasing pressure that companies are under to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.
System and Organization Control (SOC) engagements have become the gold standard for examining, assessing and reporting on these controls. SOC engagements were developed by the CPA profession and are the premier providers of SOC reports for service organizations that must reassure users about their systems. In the past, these engagements were referred to as SAS 70 or SSAE 16 reviews.
Partnering with our affiliate CPA firm, Clark Schaefer Hackett, our team has the experience, skills and qualifications to manage and address your SOC reporting needs. We have an outstanding reputation as an authority on these services, which your customers will recognize and appreciate. As part of the public accounting industry, our auditors have the proper foundation and training to create a quality product which is important to you, your customers and their auditors.
For our SOC 1 services, we take a consultative approach while working with you to create a plan determining which control objectives are to be in scope. Additionally, we develop a methodology to test your control activities appropriately to meet industry best practices and to satisfy the scrutiny of your clients and their auditors. For the SOC 2, SOC 3, and Cybersecurity services, we also take a consultative approach in assisting you with addressing and testing defined control activities that meet the more defined AICPA criteria.
With all SOC reports, our approach allows us to “think outside the box” while providing value-added recommendations for improving your business. For those clients who aren’t sure how they will fare with their first SOC report, we offer our Readiness Review. This process assists you in defining control objectives and the key controls that support those objectives. In addition, we’ll analyze the controls currently in place and for any weaknesses identified, we’ll provide recommendations for you to correct these weaknesses prior to commencing an actual SOC engagement. A readiness review will help ensure that the identified controls will be effective and in place during the SOC reporting period.
There are four major categories of SOC reports and new ones are being developed including a SOC for Vendor Supply Chains. These SOC reports are referred to as “SOC 1”, “SOC 2”, “SOC 3” or “SOC for Cybersecurity”. The table below provides a comparison of these four reports:
|Area||SOC 1||SOC 2||SOC 3||SOC for Cybersecurity|
|Scope||§ Reporting on Controls at a Service Organization§ Relevant to User Entities’ (your customers) Internal Control over Financial Reporting||§ Reporting on Controls at a Service Organization§ Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy||§ Trust Services Principles, Criteria, and Illustrations||§ Provides users with useful information for decision-making about an organization’s cybersecurity risk management program.§ Provides organizations with a framework for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.|
|Areas of Focus||§ Meets the needs of the user entities’ management and auditors as they evaluate the effect of a service organization’s controls on a user entity’s financial statement assertions.§ Financial transactions with their supporting IT infrastructures and related general computer controls.||§ For those who need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality or privacy.§ These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.
§ Stakeholders who may use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners and suppliers, among others.
|§ Designed to accommodate users who want assurance of a SOC 2 but do not have the need for the detailed and comprehensive SOC 2 report.§ It can be used in a service organization’s marketing efforts.||§ A cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.§ Reports on an organizations’ enterprise-wide cybersecurity risk management program.|
|Users of the Report||§ Users’ controller’s office§ User auditors||§ Management§ Regulators
|Users with need for confidence in service organization’s controls||§ Senior management§ Boards of directors
§ Business partners
Type of SOC Testing
We can provide SOC reports for either type of testing that you require, “Type 1” or a “Type 2”:
- Type 1 testing validates that established controls are suitably designed to support the control objectives reported upon and that the description of these controls is being presented fairly in the report.
- Type 2 testing attests to the design of the controls PLUS a sampling of transactions are tested to validate that these controls are operating effectively within the period of the report.