Service Organization Control (SOC) Reports
Service Organization Control (SOC) Reports apply to organizations that handle sensitive client data, related to using outsourced business processing and information technology. EC Barrett’s SOC professionals are deeply experienced in IT and SOC guidelines and standards. We take time to understand your business and your end-users’ needs so that we can help you choose the best report for your service organization based on all relevant factors.
There are three types of Service Organization Control Reports: SOC 1, SOC 2, and SOC 3:
SOC 1 Reports: SSAE 16 Audits Replaced SAS 70 Reports
A SOC 1 Report or SSAE 16 Audit (formerly SAS 70) focuses solely on controls that are likely to be relevant to an audit of your clients’ financial statements. SOC 1, performed under AICPA professional standard SSAE 16, requires a written assertion by your company’s management in relation to control objectives, system description, and effectiveness of your controls. With a SOC 1 Report, our service auditor concludes and gives an opinion that:
Your description of controls is fairly presented and placed into operation.
The controls are suitably designed to meet your stated control objectives.
The controls are operating effectively (Type II).
There are two types of SOC 1 Reports (also applies to SOC 2 reports):
Type I – this report reports on your organization’s controls at a specific point in time. It includes our opinion on whether the controls are fairly presented, suitably designed and placed in service as of a specified date.
Type II – this report is more comprehensive, and usually covers a period of six months or more. It provides your company with everything a Type I report does, as well as an opinion on the operating effectiveness of the controls over a period of time, and includes a description of the CPA’s tests of controls and results.
SOC 2 and SOC 3 Reports
SOC 2 and SOC 3 Reports address controls related to operations and compliance, rather than those relevant to a financial statement audit.
SOC 2 Report - addresses one or more areas at your service organization relevant to the Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. Like a SOC 1 report, it requires a written assertion by your company’s management in relation to control objectives, system description, and effectiveness of your controls. Type I and Type II reports are available within the SOC 2 report.
SOC 3 Report - is a Trust Services Report, also based on one or more of the five trust services principles listed above. It only reports on whether your system achieved the trust services criteria for each area selected, and does not include the description of tests and results. A SOC 3 also permits you to purchase and use a SOC 3 seal on your website and marketing materials, and to use the report as a marketing tool.
By completing a SAS 70 Audit an organization demonstrates to current and potential customers that they are delivering a secure, reliable, effective operating environment with proper controls in place.
For more information regarding SAS 70 Audits please contact one of our auditors.