SOC 1 and SOC 2 Audit Services

We validate your organization’s cybersecurity efforts with SOC 1 and SOC 2 Audit Services

Build consumer trust with independent SOC reporting​

System and Organization Controls (SOC) examinations were designed by the American Institute of Certified Public Accountants (AICPA) to assist organizations of any size, industry and scope in protecting the personal assets of their potential and existing customers. Learn about the different SOC report types and how you can use them to elevate your organization and build trust with your customer base.

SOC Report Types for Service Organizations
These internal controls reports provide valuable information that users of outsourced services need to assess and respond to the risks over services provided by service organizations. Key issues like security, availability, confidentiality, processing integrity and privacy are reported and documented.

SOC 1 vs SOC 2
The key difference between a SOC 1 and a SOC 2 audit is that SOC 1 is an examination of controls at a service organization that are likely to be relevant to a user entity’s internal control over financial reporting, while a SOC 2 examines controls relevant to security, processing integrity, confidentiality, availability and privacy. Having both SOC 1 and SOC 2 compliance goes a long way toward elevating your organization.

What is SOC 1?

SOC 1 audits (SSAE No. 16) are designed to examine and validate internal control over financial reporting (ICFR). A SOC1 gives great insight into the accuracy and completeness of both financial transactions and monetary reporting to ensure that internal operations are running smoothly and customer and client data is being securely gathered and protected.

There are two main types of SOC 1 audits. SOC 1 Type 1 and SOC 1 Type 2 reports both provide information about service organization controls and processes related to financial reporting. 

SOC 1 Type 1 vs SOC 1 Type 2

SOC 1 Type 1: Much like a snap shot, attests to the quality of the financial controls, design, and implementation at a specific point in time

SOC 1 Type 2: Insight into the historical effectiveness for a six-month period or more on the quality of the financial controls, design, and implementation

What is SOC 2?

A SOC 2 audit has to do with non-financial information about a service organization’s reporting controls, this time related to Trust Services Criteria, which we listed above as security, availability, confidentiality, processing integrity and privacy. A SOC2 ensures that the controls at a service organization are protecting all other forms of customer and client data.

SOC 2 Type 1 vs SOC 2 Type 2

SOC 2 Type 1: Much like a snap shot, attests to the quality of all the data controls (not just financial), design, and implementation at a specific point in time

SOC 2 Type 2: Insight into the historical effectiveness for a six-month period or more on the quality of all the data controls (not just financial), design, and implementation

What is SOC 3?

In addition to SOC 2 reports, a SOC 3 can be requested. A SOC 3 is typically a redacted form of a SOC 2 report, which removes any proprietary and/or confidential information so it can be made publicly available (for example, on a website).

Choose Us

Related to our SOC service portfolio, we have extensive experience that includes:

  • SOC pre-audit gap analysis and readiness assessments.
  • Coordination among management, user entities, and auditors.
  • Coaching and review of client-prepared control objectives and narratives.
  • SOC 1, SOC 2 and SOC 3 examinations (both Type 1 and 2 audits).
  • SOC 2+ audits, including HIPAA, HITRUST, and the Gramm-Leach-Bliley Act.
  • SOC for Cybersecurity.
  • Dual reporting under AICPA attestation standards and ISAE 3402 for clients involved in international markets.
  • Aligning SOC 2 and SOC 3 audits to leverage the Cloud Security Alliance Cloud Control Matrix.
  • Conversion from 2014 to 2016 Trust Services Principles and the 2017 Trust Services Criteria for SOC 2 and SOC 3 audits.
  • Compliance management by converging SOC, HIPAA, PCI DSS, ISO 27001 and other regulatory requirements.
  • Implementation of SSAE No. 18 requirements.
Request a consultation today to learn about SOC compliance, risk management and more.
 

Talk to Blair Carlisle about a customized cyber risk assessment and information security framework for your organization.