SYSTEM AND ORGANIZATION CONTROLS (SOC) REPORTS
The SOC standard provides service organizations with an opportunity to build trust and confidence with their customers through an independent report on internal controls. SOC reports are intended to provide comfort over processes and controls performed by the service organization and to ensure completeness and accuracy of data processed and/or to protect the confidentiality and privacy of the data being transmitted.
As an accounting firm with decades of experience dedicated to serving the financial services industry backed by professionals with Big 4 accounting firm experience, Richey May offers you the best of both worlds – all with a hands-on approach to client service.
Why do you need a SOC Report?
For many service providers, the primary reason for engaging in a SOC audit is to satisfy a requirement imposed by a client or regulatory body. Customers expect their providers to provide them with assurance about policies, procedures, and controls that impact the services they buy. When the need for a SOC audit is not driven by a customer or regulatory requirement, service organizations may also choose to engage in a SOC audit to build trust with their customers and their customers’ auditors by proactively demonstrating that they have established internal controls around the security of information and processing of customer data. A properly designed and executed SOC audit helps to reduce or eliminate the need for customers to send their auditors to their service providers in order to gain comfort around internal controls.
There are several different types of reports available to meet the needs of service organizations depending on the nature of services provided to their customers.
SOC 1 : SOC for Service Organizations Relevant to User Entities Internal Control over Financial Reporting
These reports are appropriate for service organizations who provide services to customers that are relevant to their internal controls over financial reporting.
SOC 2: SOC for Service Organizations: Trust Services Criteria
These reports are appropriate for service organizations who provide services relevant to the security, availability, and processing integrity of the systems used to process data, as well as the confidentiality and privacy of the data during processing.
SOC 3: SOC for Service Organizations: Trust Services Criteria – General Use Report
Similar to a SOC2 report, these reports are appropriate for service organizations whose customers need assurance regarding controls relevant to the security, availability, and processing integrity of the systems used to process data, but do not have the need or knowledge necessary to effectively use a SOC 2 report. In contrast to a SOC1 or SOC2 report, these are general use reports that can be freely distributed.
SOC for Cybersecurity
These reports are appropriate for service organizations who have a need to communicate relevant, useful information about the effectiveness of their cybersecurity risk management program. Like the SOC 3 report, this is a general use report that can be freely distributed.
Not sure which report you need? Refer to the AICPA brochure.
Comparison of Reports
To speak to one of our professionals, fill out the form and we will be in contact shortly.