SOC EXAMINATION SERVICES
A System and Organization Controls (SOC) audit is an examination performed by an independent public accounting firm. If your organization provides outsourced services to other businesses, chances are you’ll be requested to demonstrate that you maintain a sound environment of internal control over the transactional data you manage or systems you host on their behalf. Weaver’s SOC reporting services provides your customers confidence that you have the proper internal control structure to protect their information.
The primary objective of a SOC audit is to provide transparency related to a service organization’s internal control structure, and to provide assurance regarding the design and operating effectiveness of the controls that are in place. A SOC audit is not a certification. There is no pass/fail rating that comes with an SOC audit; rather the output is a published audit report that includes any control exceptions or failures.
WHICH SOC REPORT IS RIGHT FOR YOU?
The Association of International Certified Public Accountants (AICPA) has created multiple reporting options to enable you to demonstrate transparency to your customers and prospects. Only registered CPA firms can adequately perform and issue SOC reports in accordance with the
relevant attestation standards. The current standard offers five different reporting options that are available for management. Weaver can help your organization by identifying which one is best suited for your services:
SOC 1 examinations focus on evaluating internal controls over financial reporting related to the outsourced service offering. This information can be crucial for your customers who have to comply with laws and regulations such as the Sarbanes-Oxley Act of 2002, FDICIA or FFIEC. The boundaries of the scope are determined by (a) the types of services delivered to customers and (b) the risks that are pertinent to users of these services.
Purpose: Report on internal controls over services relevant to user entities (your customers) financial reporting.
Report Types:
Type 1 - Point in time
Type 2 - Period of time (typically 6-12 months)
Usage: Audit of financial statements
Audience: User entities of the outsourced service and their financial auditors
SOC 2 examinations focus on evaluating compliance with the Trust Services Criteria (TSC) are used to evaluate and report on controls over information and systems across an entire entity, at the operating unit level, within a particular function or for a particular type of information. The TSC are classified into five main categories:
⊲ Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems.
⊲ Availability: Information and systems are available for operation and use to meet the entity’s objectives.
⊲ Processing Integrity: System processing is complete, valid, accurate, timely and authorized to meet the entity’s objectives.
⊲ Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
⊲ Privacy: Personal information is collected, used, retained, disclosed and disposed to meet the entity’s objectives.
Purpose: Report on internal controls over technical subject matter relating to information security and operational risks.
Report Types:
Type 1 - Point in time
Type 2 - Period of time (typically 6-12 months)
Usage: Governance, risk or compliance programs; due diligence
Audience: User entities for internal audit, due dilligence, ongoing vendor management and regulatory compliance.
SOC 2+ Additional Criteria. Similar to a SOC 2 examination, SOC 2+ examinations focus on evaluating compliance with the Trust Services Criteria (the TSC) and compliance with other criteria and frameworks. Common frameworks reported on via SOC 2+ Examination are: