Holbrook & Manter has performed SOC engagements for clients across the United States and the globe in a wide variety of industries. Backed by years of experience and impressive credentials, our SOC audit team can assist your organization with consulting, planning and reporting on any of the three SOC report types, no matter which industry sphere you operate in.
Service Organization Controls Reports, better known as SOC Reports, are based on a framework developed by the AICPA designed to assist CPAs in reporting on the controls of a service organization. Visit our site dedicated to SOC audits for more details.
Visit the SiteThere are numerous reasons why a company can benefit from participating in a SOC Reporting engagement. A SOC Report is an effective way for your customers to get assurance that your control environment is defined, suitably designed and implemented effectively. In short, it helps outside customers and organizations to feel as though it is safe to do business with you. Learn more about why you may need a SOC Report by following the link below.
Learn MoreThere are three different kinds of SOC reports, each designed for a specific purpose:
Also referred to as an SSAE 16, SOC 1 is a report that addresses a service organization’s controls specifically relevant to a user entity’s financial reporting. This report can be a Type 1 or a Type 2. A Type 1 report addresses the fairness of management’s system description and the suitability of the design of controls as of a certain date. A Type 2 report expands on the Type 1 and includes reporting on the operating effectiveness of those controls over a period of time. The use of a SOC 1 report is restricted to the management of the service organization, the service organization’s user entities and the auditors of user entities.
Explore SOC 1
A SOC 2 report is very different from a SOC 1 and serves a very different purpose. SOC 2 reports address controls at a service organization relevant to one or all of five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. SOC 2 reports are designed to give user entities an understanding of a service organization’s controls, risk and governance programs related to the service organization’s information technology systems and data. Like the SOC 1 report, the SOC 2 report can be issued as a Type 1 or Type 2, and is also restricted use.
View SOC 2
A SOC 3 report is very similar to a SOC 2 report, though it is intended for a different audience. The SOC 3 covers the same subject matter as the SOC 2; however, the SOC 3 contains a less detailed description of a service organization’s system and does not include details of the service auditor’s testing of controls and results. The SOC 3 report is not restricted use and can be freely distributed to anyone.
More About SOC 3Choosing which report or reports are appropriate for you depends on a number of factors. Holbrook & Manter can discuss this with you and advise which approach is right for your company. We have experience in advising and assisting a great many companies in planning and preparing for these type of engagements.
Holbrook & Manter proudly partners with Blair Carlisle to help further expand our risk advisory services. Blair Carlisle is a renowned cyber risk management and compliance advisory firm headquartered here in Columbus, Ohio. This strong partnership allows us to offer a vast array of enhanced services, including cybersecurity compliance, privacy compliance services (such as CCPA and GDPR) and thorough risk assessments against a variety of standards, including NIST CSF, NIST 800-171, HIPAA, ISO27001, CMMC and more.
Have additional questions about our SOC Reporting & Consulting services? Get in touch with Holbrook & Manter or visit our SOC Audit Services website today.