SOC Background & Services

In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host, process or safeguard data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002, and emerging information technology framework requirements, make System and Organization Control (SOC) reports even more important to the process of contract compliance and reporting on the effectiveness of internal controls controlled by third party vendors.

Different SOC reports have been created to meet the needs of service providers. Statement on Standards for Attestation Engagements (SSAE) No. 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness.

SOC 1 engagements report on controls relating to internal control over financial reporting. SOC 2 reports follow AT-C Section 205 and the recently released AICPA Guide “Reporting on Controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.” Both SOC 1 and SOC 2 reports can be a Type I (controls designed and effective at an as-of-date) or a Type II (controls designed and operating effectively over a period of time).

Further details regarding the different types of SOC services are noted below.

SOC 1 Type I & II

Internal Controls Over Financial Reporting

We provide specialized attestation reports of specific operations and transactions, such as entity-level controls, general IT controls, and/or process controls.

Statement on Standards for Attestation Engagements (SSAE) No. 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. SOC 1 engagements report on controls relating to internal control over financial reporting.

See below for SOC 2 and SOC Pre-Assessment services.

SOC 2 Type I & II

Controls Criteria Established by AICPA

When preparing a SOC 2 report, the service organization has the option to report on one or more of the criteria that are known as the “applicable trust service criteria." SOC 2 engagements use the predefined criteria in the AICPA Trust Service Criteria.

Trust Service Criteria include the following:

Security: The system is protected against unauthorized access (both physical and logical), required for SOC 2.
Availability: The system is available for operation and use as committed or agreed.
Processing integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA.

See above for SOC 1 and below for SOC Pre-Assessment services.

SOC Pre-Assessment

We Are Here to Help

Description of Services:

The description of services must be structured in a way to fairly present the system. Management is responsible for developing this description in accordance with the applicable SOC reference material. First year reports typically take numerous revisions and clients often need outside guidance to develop the document. Pre-assessment services are designed to work with the client to review their description of services and provide an analysis of any potential missing components.

Identification of Control Activities:

Management must identify the controls necessary to support each Trust Services Criteria to be covered in the SOC report. The identification of the appropriate control activities can be a difficult task. During Pre-assessment services, we will work with management to select a framework to identify the appropriate SOC 2 controls we will interview employees and inventory existing controls to be mapped to the identified framework. Management remains responsible for implementing any missing controls identified by the Pre-assessment services.

See above for details regarding SOC 1 and SOC 2 services.