Holbrook & Manter SOC Reporting Services
Holbrook & Manter has performed numerous SOC 1 and SOC 2 engagements for clients across the United States. Our AICPA trained auditors can assist your organization with consulting, planning, and reporting on any of the 3 SOC report types across many industries.
What is a SOC report?
Service Organization Controls reports, or SOC reports, are based on a relatively new AICPA framework designed to assist CPAs in reporting on the controls at a service organization. The SOC framework was created to replace an outdated SAS 70 control standard which was not designed to address the many rapid changes that technology and the Internet would bring to everyday business needs.
Why do I need a SOC report?
There are numerous reasons a company could benefit from a SOC reporting engagement. If your company provides outsourced business services to other entities, it is very likely your customers have or will soon request a SOC report from you. The SOC report is an effective way for your customers to obtain assurance that your control environment is defined, suitably designed, and implemented effectively and thus give them an independent basis to evaluate the risks of doing business with you.
What are the different kinds of SOC reports?
There are 3 different kinds of SOC reports, each designed for a specific purpose. Here is a brief description of each:
SOC 1 - Also referred to as an SSAE 16, is a report that addresses a service organization’s controls specifically relevant to a user entity’s financial reporting. This report can be a Type 1 or a Type 2. A Type 1 report addresses the fairness of management’s system description and the suitability of the design of controls as of a certain date. A Type 2 report expands on the Type 1 and includes reporting on the operating effectiveness of those controls over a period of time. The use of a SOC 1 report is restricted to the management of the service organization, the service organization’s user entities, and the auditors of user entities.
SOC 2 - A SOC 2 report is very different from a SOC 1 and serves a very different purpose. SOC 2 reports address controls at a service organization relevant to one or all of 5 Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 reports are designed to give user entities an understanding of a service organization’s controls, risk, and governance programs related to the service organization’s information technology systems and data. Like the SOC 1 report, the SOC 2 report can be issued as a Type 1 or Type 2 and is also restricted use.
SOC 3 - A SOC 3 report is very similar to a SOC 2 report however is intended for a different audience. The SOC 3 covers the same subject matter as the SOC 2, however, the SOC 3 contains a less detailed description of a service organization’s system and does not include details of the service auditor’s testing of controls and results. The SOC 3 report is not restricted use and can be freely distributed to anyone.
Which SOC report do I need?
Choosing which report or reports are appropriate for you depends on a number of things. Holbrook & Manter can discuss this with you and advise which approach is right for your company. We have experience in advising and assisting many companies in planning and preparing for these type of engagements.