System and Organization Control (SOC) Audits

If you are interested in engaging with our team about acquiring a SOC audit, fill out our contact form. We will have a team member contact you as soon as possible.

More service providers recognize the importance of obtaining a System and Organization Controls (SOC) Report. SOC reports provide independent assurance that your service organization has the right controls in place to address the risks related to security and business.

Created by the American Institute of Certified Public Accountants (AICPA), a SOC report is a thorough audit of a service organization’s (SO) controls (systems, processes and policies). Service providers recognize a SOC report can be the difference between winning and losing a client.

 

Webinar: What should be in my SOC description?

LBMC’s Richard Beard shares an overview of SOC system descriptions and what should be included in an organization’s SOC 1 and SOC 2 reports.

Discover the Right SOC Report for Your Organization

Embarking on the SOC audit is not for the faint of heart. It shouldn’t be approached lightly, as it requires attention to detail, good resources and time. Depending on your level of readiness and the report type, the process can take anywhere from a few months to a year or longer from start to finish for organizations new to the process. Mature organizations can expect a shorter timeline – assuming they already have the necessary controls, processes and technologies in place.

The creation of SOC audits provide three report options developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, non-financial controls and, with SOC 3, become certified trusted system service organizations.

CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, adequate and effective controls in place.

  • Type I audits consider the controls’ design effectiveness at a certain point in time
  • Type II audits examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.

What are the types of SOC engagements?

  • SOC 1—Reports on the effectiveness of a service organization’s internal controls as they relate to financial reporting.
  • SOC 2—Reports on a service organization’s Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy. These criteria reference the security, availability, and processing integrity of an organization’s systems and the confidentiality and privacy of data processed by those systems. The security requirement is always included; however, the other four criteria are optional and based on your specific organization.
  • SOC 3—Reports on a service organization’s Trust Services Criteria, not unlike SOC 2, but can be openly distributed.

While a SOC 3 assessment isn’t usually a contractual obligation, it provides an organization with the option to publicize its security efforts. SOC 1 and SOC 2 assessments are for an organization’s current customers to verify security, whereas a SOC 3 assessment can be distributed to anyone (and can even be publicized on a website). The preparation and completion of a SOC 3 assessment mirror that of a SOC 2 assessment, but it includes different reporting requirements. A SOC 2 assessment will include the auditor’s test of controls and results, where SOC 3 will not.

SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:

  • Requires greater international consistency
  • Addresses newer technologies such as cloud computing, mobile, and virtualization
  • Demands more widely recognized and understood reporting options

We provide SOC audits to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, including healthcare and claims processing, financial services, cloud service providers, and commercial collation and hosting providers.

Which SOC Report is Right for You? (SOC 1, SOC 2 or SOC 3)

SOC reports help your business retain and attract new customers. Every business that shares critical data with a service provider wants to be sure that the business partner is doing all it can to protect its vital information assets. How do you prove you are?

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
If you answer YES, you need a SOC 1.

Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law/regulation?
If you answer YES, you need a SOC 1.

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s IT systems?
If you answer YES, you need a SOC 2 or 3.

Do you need to make the report generally available to non-customers?
If you answer YES, you need a SOC 3.

Do your customers have the need for and the ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditors and the results of those tests?
If you answer YES, you need a SOC 2. However, if you answer NO, you need a SOC 3.

SOC 1 Audits

SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.

Executive Team for SOC 1 Audits

If you are interested in more information on SOC 1 Audits, please contact Paul and Jacob.

What is a SOC 1® Report?

A SOC 1 is a report on controls at your SO that are relevant to user entities’ internal control over financial reporting. This report is specifically intended to meet the needs of two parties:

  1. The entities that use service organizations (user entities)
  2. The CPAs that audit the user entities’ financial statements (user auditors)

SOC 1 helps the reader evaluate the effect of your service organization’s controls on a user entity’s financial statements.

Examples of companies that need a SOC 1 Report.

  • A health insurance company that outsources the medical claims processing function
  • An employee benefit plan that outsources functions to a bank to serve as custodian of assets, maintain records of account, allocate investment income and/or make payments
  • Any company that utilizes packaged software applications that enables customers to process financial and operational transactions (Application service provider or “ASP”)

There are two options when it comes to the SOC 1 report – type 1 and type 2.

A Type 1 report is a point-in-time assessment that evaluates:

  • The fairness of the presentation of management’s description of the service organization’s system (i.e., the accuracy of the system description)
  • The suitability of the design of the controls to achieve the control objectives included in the description (as of a specified date)

A Type 2 report covers a period of time, typically 6 to 12 months, and evaluates:

  • The fairness of the presentation of management’s description of the service organization’s system
  • The suitability of the design of the controls to achieve the control objectives included in the description (throughout the specified period)
  • The operating effectiveness of the controls to achieve the control objectives included in the description (throughout the specified period)

The service auditor issues its opinion with the SOC 1 report, which is distributed for restricted use to the management of the SO, user entities, and user auditors.

There is a key difference between SOC 2 reports and SOC 3 reports. That difference is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system and a SOC 3 report can be distributed freely while a SOC 2 is meant for a service organization’s customers.

SOC 2 Engagements

SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

Executive Team for SOC 2 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

What is a SOC 2® Report?

A SOC 2 is a report on controls at a SO relevant to security, availability, processing integrity, confidentiality, and privacy in alignment with the AICPA Trust Services Criteria (TSC). While a SOC 1 report addresses a service organization’s impact on financial transactions, a SOC 2 report addresses the risks arising from interactions with service organizations and their systems.

The report is intended to meet the needs of a broad range of users that require information and assurance about the SO’s controls as they relate to:

  • The security, availability, and processing integrity of the systems used by the SO to process users’ data,
  • The confidentiality and privacy of the information processed by these systems.

Below are a few examples of companies that may need a SOC 2 Report:

  • Providing medical providers, employers, and third-party administrators and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially
  • Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, and environmental control activities
  • Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, detecting, and mitigating, system intrusion)

As with the SOC 1 report, there are two report types for this engagement – type 1 and type 2.

Use of SOC 2 reports is generally restricted to those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services.

How to Prepare for a SOC 2 Audit

There are four major steps you should follow to prepare for a SOC 2 audit. (You can even start the first one today.)

1. Find a reputable CPA firm.

“Wait a minute. I thought SOC 2 focused on information security. Why are you telling me to find a CPA firm?” Great question. The AICPA (American Institute of Certified Public Accountants) developed the SOC 2 framework, so your auditor will have to be a CPA firm to issue a SOC 2 report. Technically, any CPA firm can issue one. But, not any CPA firm can do it the right way. Because SOC 2 focuses specifically on security, you want a firm that understands security and the ins and outs of the AICPA guidance. So, in this case, a “reputable” CPA firm should meet as many of these qualifications as possible:

  • You have a trusted relationship with them.
  • They have a large information security practice.
  • They demonstrate information security thought leadership by regularly creating content around relevant information security topics.
  • They have the AICPA’s Cybersecurity Advisory Services Certificate.
  • They have extensive experience with SOC 2 reporting.

2. Work with the firm to develop a deeper understanding of SOC 2.

Security

Official text
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”

Translation
Are information and systems appropriately secured? This requirement is included in every SOC 2 assessment and is not optional.

Availability

Official text
“Information and systems are available for operation and use to meet the entity’s objectives.”

Translation
Are information and systems appropriately available for use?

Processing Integrity

Official text
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”

Translation
Is information processed appropriately by your systems?

Confidentiality

Official text
“Information designated as confidential is protected to meet the entity’s objectives.”

Translation
Is confidential information adequately protected?

Privacy

Official text
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”

Translation
Is personal information adequately protected? It is common to confuse the privacy and confidentiality criteria. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.) and confidentiality protects non-personal information and data that is still classified as “confidential.”

The most important thing to know is this: The criteria you’re assessed against should make sense according to the services you provide. At the end of the day, the CPA firm must provide an opinion on the effectiveness of the controls suited to the operational environment. So, they should verify that the criteria they’re assessing you against makes sense according to the services you provide.

3. Perform a full readiness assessment with the firm you select.

During this process, the firm will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. A point of focus (POF) is a supporting control that offers considerations and guidance. POFs are not requirements but rather serve as clarifications to criteria and assisting an organization as they create controls. A firm will work with you to help you understand the controls you’ll need to implement to receive a favorable report.

It’s important to know that your organization must create the controls. While the CPA firm can provide guidance around the types of controls you’ll need, they can’t create any controls for you. The end result of the readiness assessment is essentially a report that says something to the effect of: “Here are the controls that would be in your SOC 2 report. Here is how they map back to each criterion relevant to your business. And, here is where you have gaps that need remediation.”

Note: If this is your first SOC 2 assessment, you will almost definitely have a fair amount of control gaps and areas to remediate.

4. Engage the CPA firm for a complete SOC 2 audit.

Remember how there are multiple types of SOC audits? Well, to further complicate things, there are also multiple types of SOC 2 audits. Here they are:

  • SOC 2, Type I: This type of SOC 2 reports on the design effectiveness of controls at a specific point in time.
  • SOC 2, Type II: This type of SOC 2 reports on both the design and operating effectiveness of a controlled environment over a period of time (minimum of 6 months and usually up to 9 months to a full year). A Type I audit is generally used as a stepping-stone to a Type II audit. So, what does the audit process actually look like? It varies by firm, but there are a few things you can count on.

There’s going to be an on-site visit. Someone from the CPA firm (the assessor) will visit your facility to review evidence for the controls you’ve implemented to meet the requirements of the trust services criteria applicable to your organization. This generally occurs toward the end of the assessment period. So, if your assessment period ends in December, the on-site visit will likely occur during November and/or December. The assessing firm will perform testing that covers the entirety of the reporting period to ensure your controls have been operating effectively the whole time. So, while they may only be on-site toward the end of the audit period, their testing will cover the entire audit period (if you’re receiving a SOC 2, Type II report). During this on-site visit, their goal is to test the controls you have defined and make sure they effectively address the requirements and criteria of the SOC 2 framework.

Management will need to present an accurate description of controls. Remember—the CPA firm is not responsible for helping you implement controls—only assessing them. Therefore, in the report, your company’s management is responsible for presenting an accurate description of the control environment.

The CPA firm will issue a report after your report period’s end date. This is important. Regardless of when your assessment is completed, you won’t receive your report until after the assessment period’s end date (generally 45 – 60 days). In this report, the CPA firm issues its opinion on the design (SOC 2, Type I) or design and operating effectiveness (SOC 2, Type II) of your organization’s control environment.

Other Things You Should Know About Your SOC 2 Audit

Here are some of the other things you should know before getting into your audit.

  1. Compliance is not quick. It takes a lot of time and effort. Resist the urge to view it as a short-term project. Take a long-term approach. Achieving SOC 2 compliance will improve your organization’s security and help you become a better steward of customer data. The requirement for strong information security controls isn’t going anywhere. Play the long game. Build a strong foundation that will help you for years to come.
  2. Be completely honest during the readiness assessment. Sometimes, organizations going through the readiness process don’t tell the whole truth. Or, the CPA firm doesn’t do enough to confirm that the control would actually work. So, be completely honest with the CPA firm—because if they know there’s a gap, they can help you understand how to fix it. But, if they don’t know there’s a gap—you’ll be in for an unpleasant surprise when it’s time for your real audit.
  3. Exceptions are not the end of the world. An exception communicates: “Yes, there were issues here. But, overall, the company is still meeting the overall objective of the framework, etc.” …or something along those lines. Exceptions are not the end of the world, and they should not be viewed as such. It’s very rare for a report to have no exceptions at all. Do what you can to avoid them, but don’t view them as the sky caving in on your business. What you really want to avoid are these:
    • Qualified Opinion, which effectively says, “Everything looks good, except for (insert large area of control gaps).”
    • Adverse Opinion, which effectively says, “This company isn’t doing what they’re supposed to be doing. Buyer beware.”
  4. Policies are simple. Implementation is hard. It’s easy to write a policy, but it’s hard to actually implement those policies and make sure the processes are followed. While paperwork is a good place to start, make sure your controls exist in real-life—not just on the page.
  5. Self-monitoring is valuable. Self-monitoring is when you test your own controls. The goal is to ensure that, when the assessor performs testing, you won’t be surprised by the results. This is a challenging process, but it can give you a great indication of how your control environment is functioning before the assessor comes in.
  6. If your control environment changes, understand what those changes are, and make sure your CPA firm understands that, too. For example: If you know there are certain old systems that will be replaced before the end of your audit period, alert your CPA firm, so they can audit those systems before they’re gone forever.

SOC 3 Engagements

SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results).  It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy).

Executive Team for SOC 3 Audits

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

What is a SOC 3® Report

Similar to the SOC 2, the SOC 3 report is a report on the controls at a SO which are relevant to the SO’s ability to maintain the security, availability, processing, integrity, confidentiality, and privacy of a user entity’s data for  which it is responsible. The assessment entails the same Trust Services Criteria, controls, and evaluation of controls addressed in a SOC 2 report.

The key distinction is that the SOC 3 is intended for general use as opposed to restricted use. This means that the SOC 3 report is a public-facing document that gives a high-level overview of information that would be contained in a SOC 2 report. While a SOC 2 report contains sensitive information about business systems and controls at a level that would not be appropriate for public distribution, a SOC 3 report does not and is used as a front-facing report, often for the purposes of sales and marketing.

Examples include:

  • A SO may choose to display a SOC 3 seal on its website if it meets the criteria, and link to the SOC 3 report.
  • Sales team may use the report to provide prospects and clients to assure them that SO is protecting their data and private information. Clients can easily verify best practices are being followed to guard against security breaches and corrupted data.

Another benefit of a SOC 3 report is there are no additional audit procedures necessary if you’ve already been issued a SOC 2 report.

SOC for Cybersecurity

The SOC for Cybersecurity examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. It can be performed for any type of organization regardless of size or industry, and report users aren’t necessarily current customers or customer auditors.

SOC for Cybersecurity provides the following:

  • A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
  • An effective way to communicate cybersecurity control effectiveness to stakeholders, boards, committees, customers, and partners through a comprehensive cybersecurity audit.

Differing from SOC 2 reports, SOC for Cybersecurity reports address the following:

  • The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
  • An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
  • SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
  • In a SOC for Cybersecurity, the controls matrix will not be included in the report.

The LBMC SOC audit team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.

Client Testimonial

Testimonial Icon
You will not find a more professional team than LBMC. They are easy to work with, challenge us to be better, and deliver excellent results every time. LBMC has been our partner for many years and has worked alongside us as a trusted advisor in helping with our SOC Audit needs.
Senior Director of Governance, Risk, and Compliance for a leading software and information solutions provider

Executive Team for SOC Auditss

Link to Paul SOC Audit

Paul Demastus

Shareholder, Audit and Advisory

phone icon email icon Nashville
phone icon email icon Nashville
Link to Drew SOC Audit

Drew Hendrickson

Shareholder & Practice Leader, Cybersecurity

phone icon email icon Nashville
phone icon email icon Nashville
Link to Jacob SOC Audit

Jacob Schuetze

Shareholder, Audit and Advisory

phone icon email icon Nashville
phone icon email icon Nashville
Link to Robyn SOC Audit

Robyn Barton

Shareholder, Cybersecurity

phone icon email icon Nashville
phone icon email icon Nashville