SOC Audit

SOC 1
SOC 2
SOC Readiness Assessment Services
SOC 3
SOC Plus +
SOC for Cybersecurity
SOC 1

In a SOC 1 audit, an assessment and opinion are provided for a system that is defined as the people, processes, and information technology used in providing products or services to customers and how it impacts a customer’s financial reporting.  The scope of a SOC 1 may include financial, operational, and information technology controls.    A SOC 1 report plays an important role in your customer’s external financial statement audit. 

 

Two Types of SOC 1 audits exist:    

  • A Type I audit determines whether the description of the system fairly represents the design of controls in place to achieve control objectives related to financial reporting.
  • A Type II audit determines whether the description of the system is fairly represented and whether the controls designed are operating effectively to achieve control objectives related to financial reporting.
SOC 2

In a SOC 2 audit, an assessment and opinion are provided for a system that provides products or services that must comply with one or more trust service principles that include security, confidentiality, availability, processing integrity, and privacy.  The system is defined as the infrastructure, software, people, procedures, and data used in providing products and services to customers.   A SOC 2 report plays an important role in your customers’ supply chain risk management practices and in meeting their regulatory compliance requirements.   

 

Two Types of SOC 2 audit exist:   

 

  • A Type I audit determines whether the description of the system fairly represents the design of the controls in place to meet product and service commitments and selected trust service principles and criteria.

  • A Type II audit determines whether the description of the system is fairly represented and whether the controls designed are operating effectively to achieve product and service commitments and selected trust service principles and criteria.
SOC Readiness Assessment Services

Getting a SOC 2 audit can be a big step for your organization but it is well worth the effort.   SOC certification demonstrates your credibility in providing secure and reliable products and services and may be necessary to meet regulatory and corporate governance requirements. 

 

We offer readiness assessment services that assess your internal control framework and identify gaps based upon the trust service principles and criteria that will be addressed in your SOC 2 audit.  The scope of our Readiness Assessment services includes the assessment of policies, procedures, and other documents describing your service commitments and requirements to customers.   The scope of a readiness assessment does not include an assessment or opinion on the description of your system, as this assessment is part of a SOC 2 report. 

SOC 3

A SOC 3 audit addresses the same scope as in a SOC 2 audit, but only provides a report stating whether the system achieved the trust services principles and criteria.  A SOC 3 audit can be done in conjunction with a SOC 2 audit, but not alone.  A SOC 3 report provides an opinion on management’s assertion only.  It does not provide an opinion on the description on the fair representation of the system or its operating effectiveness.  A SOC 3 report is not restricted and allows a company to market its products and services to prospective customers and post the SOC 2 certification seal on its website. 

 

SOC Plus +

A SOC Plus + audit is where the scope of a SOC 2 audit is modified to incorporate additional subject matter or criteria of other regulations.  Examples of additional criteria include the incorporation of compliance with the Health Information Trust Alliance’s (HITRUST) Common Security Framework (CSF) or the Cloud Security Alliance’s (CSA’s) Cloud Control Matrix (CCM).  Additional criteria can also be defined by outside third parties. 

 

A SOC 2 Plus audit applies the same assessment and test procedures to the additional subject matter or criteria as it does to the trust services principles and criteria.  Our approach in performing a SOC 2 Plus audit leverages detailed process mapping documents of AICPA trust service principles and criteria to both the CSF and CCM.

SOC for Cybersecurity

In a SOC for Cybersecurity audit, an assessment and an opinion are provided on the design and operating effectiveness of controls within a Cybersecurity Risk Management Program.  This Program is  defined as the policies, procedures, and controls designed to protect information and systems from security events through the execution of timely detection, response, mitigation, and recovery activities.  Similar to a SOC 2 audit, a type I or type II can be performed and on one or more trust service principles and criteria can be included in scope. Also, similar to a SOC 2, a readiness assessment can be provided for the SOC Cybersecurity exam.

 

Contact Us

Intelligence and Insights

The Building Blocks to Securing the Human Element - Security Awareness Training

The Building Blocks to Securing the Human Element

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead …
When Do You Need a QSA?

When Do You Need a QSA?

The definition of who must have a formal assessment performed is determined by card brand entities such as Visa, MasterCard and American Express, and by the acquiring banks and processors who service merchants. You might …
How businesses can calculate the cost of PCI DSS compliance

How businesses can calculate the cost of PCI DSS compliance

PCI compliance is a significant endeavor. It requires a substantial amount of time, money, and expertise to complete. To start with, companies must define the cardholder data environment (CDE) – those areas that touch or …