System & Organization Control (SOC) Audits
The creation of System and Organization Control (SOC) audits provide three report options developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, non-financial controls and, with SOC 3, become certified trusted system service organizations.
CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.
- Type I audits consider the controls’ design effectiveness at a certain point in time
- Type II audits examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.
SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:
- Requires greater international consistency
- Addresses newer technologies such as cloud computing, mobile, and virtualization
- Demands more widely recognized and understood reporting options
We provide SOC audits to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, including healthcare and claims processing, financial services, cloud service providers, and commercial collation and hosting providers.
Requirements of a SOC 1 include management to provide written descriptions of its systems and assert that the descriptions of their systems are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.
SOC 1 audits examine service organizations’ controls related to financial reporting, while SOC 2 and SOC 3 reviews security, availability, processing integrity, confidentiality, and privacy reporting controls that align to the AICPA Trust Services Criteria (TSC).
There is a key difference between SOC 2 reports and SOC 3 reports. That difference is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system and a SOC 3 report can be distributed freely while a SOC 2 is meant for a service organization’s customers.