System and Organization Control (SOC) Audits

Embarking on the SOC audit is not for the faint of heart. It shouldn’t be approached lightly, as it requires attention to detail, good resources and time. Depending on your level of readiness and the report type, the process can take anywhere from a few months to a year or longer from start to finish for organizations new to the process. Mature organizations can expect a shorter timeline – assuming they already have the necessary controls, processes and technologies in place.

The creation of SOC audits provide three report options developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.

• Type I audits consider the controls’ design effectiveness at a certain point in time
• Type II audits examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.

SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:

• Requires greater international consistency
• Addresses newer technologies such as cloud computing, mobile, and virtualization
• Demands more widely recognized and understood reporting options

We provide SOC audits to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, including healthcare and claims processing, financial services, cloud service providers, and commercial collation and hosting providers.

SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

Executive Team for SOC 1 Audits

If you are interested in more information on SOC 1 Audits, please contact Paul and Jacob.

• Paul Demastus
• Jacob Schuetze

What is a SOC 1® Report?

A SOC 1 is a report on controls at your SO that are relevant to user entities’ internal control over financial reporting. This report is specifically intended to meet the needs of two parties:

1. The entities that use service organizations (user entities)
2. The CPAs that audit the user entities’ financial statements (user auditors)

SOC 1 helps the reader evaluate the effect of your service organization’s controls on a user entity’s financial statements.

Examples of companies that need a SOC 1 Report.

• A health insurance company that outsources the medical claims processing function
• An employee benefit plan that outsources functions to a bank to serve as custodian of assets, maintain records of account, allocate investment income and/or make payments
• Any company that utilizes packaged software applications that enables customers to process financial and operational transactions (Application service provider or “ASP”)

There are two options when it comes to the SOC 1 report – type 1 and type 2.

A Type 1 report is a point-in-time assessment that evaluates:

• The fairness of the presentation of management’s description of the service organization’s system (i.e., the accuracy of the system description)
• The suitability of the design of the controls to achieve the control objectives included in the description (as of a specified date)

A Type 2 report covers a period of time, typically 6 to 12 months, and evaluates:

• The fairness of the presentation of management’s description of the service organization’s system
• The suitability of the design of the controls to achieve the control objectives included in the description (throughout the specified period)
• The operating effectiveness of the controls to achieve the control objectives included in the description (throughout the specified period)

The service auditor issues its opinion with the SOC 1 report, which is distributed for restricted use to the management of the SO, user entities, and user auditors.

SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

Executive Team for SOC 2 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

• Drew Hendrickson
• Robyn Barton

What is a SOC 2® Report?

A SOC 2 is a report on controls at a SO relevant to security, availability, processing integrity, confidentiality, and privacy in alignment with the AICPA Trust Services Criteria (TSC). While a SOC 1 report addresses a service organization’s impact on financial transactions, a SOC 2 report addresses the risks arising from interactions with service organizations and their systems.

The report is intended to meet the needs of a broad range of users that require information and assurance about the SO’s controls as they relate to:

• The security, availability, and processing integrity of the systems used by the SO to process users’ data,
• The confidentiality and privacy of the information processed by these systems.

Below are a few examples of companies that may need a SOC 2 Report:

• Providing medical providers, employers, and third-party administrators and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially
• Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, and environmental control activities
• Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, detecting, and mitigating, system intrusion)

As with the SOC 1 report, there are two report types for this engagement – type 1 and type 2.

Use of SOC 2 reports is generally restricted to those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services.

SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results).  It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy).

Executive Team for SOC 3 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

• Drew Hendrickson
• Robyn Barton

What is a SOC 3® Report

Similar to the SOC 2, the SOC 3 report is a report on the controls at a SO which are relevant to the SO’s ability to maintain the security, availability, processing, integrity, confidentiality, and privacy of a user entity’s data for  which it is responsible. The assessment entails the same Trust Services Criteria, controls, and evaluation of controls addressed in a SOC 2 report.

The key distinction is that the SOC 3 is intended for general use as opposed to restricted use. This means that the SOC 3 report is a public-facing document that gives a high-level overview of information that would be contained in a SOC 2 report. While a SOC 2 report contains sensitive information about business systems and controls at a level that would not be appropriate for public distribution, a SOC 3 report does not and is used as a front-facing report, often for the purposes of sales and marketing.

Examples include:

• A SO may choose to display a SOC 3 seal on its website if it meets the criteria, and link to the SOC 3 report.
• Sales team may use the report to provide prospects and clients to assure them that SO is protecting their data and private information. Clients can easily verify best practices are being followed to guard against security breaches and corrupted data.

Another benefit of a SOC 3 report is there are no additional audit procedures necessary if you’ve already been issued a SOC 2 report.

The SOC for Cybersecurity examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. It can be performed for any type of organization regardless of size or industry, and report users aren’t necessarily current customers or customer auditors.

SOC for Cybersecurity provides the following:

• A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
• An effective way to communicate cybersecurity control effectiveness to stakeholders, boards, committees, customers, and partners through a comprehensive cybersecurity audit.

Differing from SOC 2 reports, SOC for Cybersecurity reports address the following:

• The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
• An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
• SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
• In a SOC for Cybersecurity, the controls matrix will not be included in the report.

The LBMC SOC audit team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.