Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
Subscribe to our blog
Articles published weekly by IT security and compliance professionals with decades of experience
System & Organizational Controls (SOC) reports are internal control reports that outline the services that are being provided by a service organization and the controls related to the service that is being offered. This provides valuable information to potential customers and allows the service organization to build trust and confidence around their service offerings. A Service Auditor's Report can help a service organization to:
SOC reports are intended to build consumer trust, and are required or beneficial for organizations such as: Data Centers, Loan Servicing, Payroll, Medical Claims, SaaS, Software Developers, etc. Not all SOC reports are alike. These documents come in the following variations:
A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management.
The SOC 2 report deals specifically with controls related to Security, Confidentiality, Privacy, Availability, and Processing Integrity and are known as the 5 Trust Services Criteria (TSC). SOC 2 reports provide organizations with a broad range of information and assurance in regards to the controls and organization has in place for their systems that deal with the information processed by these systems.
The SOC 3 report is intended to be publicly shareable, and can be provided to clients or posted on an organization's website to boost consumer confidence in the organization's controls, whereas the SOC 1 & 2 can't be publicly shared. SOC 3 covers the same areas as SOC 2, but the report removes confidential information and details.
These reports can be performed as either a Type I or Type II:
The first step is to review the customer scope of the SOC report. Compass Assurance & Advisory Group will review the existing control environment and supply guidance with management’s description of controls. The importance of this step is to become familiarized with the company and the personnel, systems, and business processes involved in delivering these products and services to their customers. Compass Assurance & Advisory Group will evaluate existing controls in areas such as infrastructure, software, people, procedures, and data.
Compass Assurance & Advisory Group will provide the necessary clarity around required remediation work prior to your organization’s SOC engagement.
Compass Assurance and Advisory Group will partner you with an independent CPA firm to complete the required SOC Report Attestation documentation. Compass will continue to partner with you and your organization throughout this crucial final step to ensure a smooth process.