System and Organization Control (SOC) Audits

System and Organization Control (SOC) Audits

Print Divider Print Divider Branding

AICPA SOCWith the advent of the Sarbanes-Oxley Act (SOX), other demands for transparency, increasing globalization and outsourcing, the use of SSAE 18 has grown exponentially. Service organizations that provide key third-party outsourcing services often need to be accountable to the clients that they serve. These organizations include:

  • claims processors
  • application service providers
  • benefits administrators
  • payroll companies
  • data centers

Furthermore, the creation of System and Organization Control Reports (SOC 2 and SOC 3 reports) provide two new reporting vehicles developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.

  • Type I audits consider the controls’ effectiveness at a certain point in time
  • Type II audits examine the controls’ effectiveness over a specific period, typically six to 12 months.

SSAE 18 and SOC 2 and SOC 3 engagements address today’s environment that:

  • Requires greater international consistency,
  • Addresses newer technologies such as cloud computing, mobile and virtualization,
  • Demands more widely recognized and understood reporting options.

SSAE 18 (SOC 1)

SSAE 18 (SOC 1) requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

While SSAE 18 (SOC 1) examines service organizations’ controls related to financial reporting, SOC 2 and SOC 3 reviews non-financial reporting controls.

SOC 2 Engagements

SOC 2 engagements use the predefined criteria in trust services principles, criteria and illustrations, as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization's system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

SOC 3 Engagements

SOC 3 engagements use the predefined criteria in trust services principles, criteria and illustrations that also are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality, and privacy).

Differences between SOC 2 and SOC 3 Reports

The key difference between an SOC 2 report and an SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system.

LBMC’s multi-disciplined teams have the financial and information systems auditing experience to ensure service organizations undertaking an SSAE 18 have the best information for their organization, industry and clients.

What Type of SOC Report is Best for You?

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer's financial statements?

If you answer YES, you need a SOC 1.

Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law/regulation?

If you answer YES, you need a SOC 1.

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization's IT systems?

If you answer YES, you need a SOC 2 or 3.

Do you need to make the report generally available to non-customers?

If you answer YES, you need a SOC 3.

Do your customers have the need for and the ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditors and the results of those tests?

If you answer YES, you need a SOC 2. However, if you answer NO, you need a SOC 3.

Why Choose LBMC?

Our team members have extensive experience on your side of the desk in a variety of industries with financials, security and compliance mandates. This client-side experience means that we understand how data moves between a user entity’s network and its service organizations. We help you achieve compliance while providing the insights your leaders and stakeholders need to make better business decisions.

Whether you are just getting started with SOC reporting, or have been receiving a report for years from another provider, LBMC can help you build trust with your business partners and regulators.

Download our Free SOC Audit & Compliance Guide

soc-guide-250px.jpgDon't wait. Get ready for SOC success with our free, popular 25-page guide, How to Prepare for a SOC Examination. It contains all of the information in SOC 101 and much more. 

Chapter 1: Understanding the SOC Report
Chapter 2: Preparing for a Successful SOC Report
Chapter 3: Maximizing Your Preparation Efforts
Chapter 4: Selecting an Audit Firm
Chapter 5: Integrating SOC Reporting with Regulatory Compliance Mandates
SOC Glossary

Download the Free SOC Guide Today

If you would like to review some SOC 101 frequently asked questions, visit our SOC page from the security team

click here for executive team