We can help you gain the trust that is needed for a synergistic business relationship.
As businesses become more interdependent on each other to stay competitive in their industries, a trusting relationship is critical. At Larson & Company, we specialize in providing Service Organization Control Audit Reports (SOC) to help service organizations promote their company’s internal controls to user entities. Our seasoned auditors and certified public accountants are dedicated to helping you get the SOC that is right for you and your business. Let us help you understand the differences between each type of SOC and assess which report matches your business’s needs and goals. For more information on SOC audits, we welcome you to email Andrew Wan or call 801-984-1829.
SOC 1 AUDITS
SOC 1 audits are audits of internal controls of a service organization in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization. These reports are intended for use by the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). The control objectives that are deemed to be important to the user entities and audited by the SOC auditor are usually defined by the service organization. Because the users of these reports are interested in the financial controls of the service organization, most control objectives selected are related to control objectives that are relevant to financial processes. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
As more services are becoming outsourced to other companies, the reliance of service organizations’ controls has increased to ensure the processing integrity, fraud deterrence, and reporting accuracy of businesses are maintained. Obtaining these reports will put worrisome customers of service organizations at ease and increase synergy between business partnerships.
SOC 2 AUDITS
SOC 2 audits are audits of internal controls of a service organization in accordance with the AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended for use by a broader range of users that need information and assurance about the controls that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of information processed by the system.
The categories that are relevant to user entities will be identified by a client, or user, of the organization who wishes to ensure safety through the service organization’s systems. After these categories to be audited are identified, the auditor will review the internal controls of the organization to determine if they meet the criteria associated with the categories that are specified by the AICPA Guide. The categories that could be selected by the user organization for testing are:
- Processing Integrity
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
As the exchange of information between businesses is becoming more prevalent, the commitment and trust between companies can be severed if service organizations are not maintaining adequate controls over the Security, Availability, Processing Integrity, Confidentiality, or Privacy of its systems. Obtaining these reports will allow a service organization to maintain and fortify trust with its user entities and enhance their trust with one another.
SOC 3 AUDITS
SOC 3 audits are audits of internal controls of a service organization in accordance with The AICPA, Trust Services Categories, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Unlike SOC 2 reports, a SOC 3 Audit is generally done by a service organization to measure their level of adherence to the Trust Services Categories to market themselves to potential users. The categories that can be selected for testing by the service organization are the same as SOC 2 audits:
- Processing Integrity
These reports are not restricted and can be freely distributed for marketing purposes. Because of the general use nature of these reports, audit procedures performed are usually more extensive and involved. SOC 3 audits may also require the audit of the service organization’s vendors.
Obtaining a SOC 3 audit report will not only help promote trust with current customers, but can also effectively differentiate a company from that of other competitors and give the boost a company may need to generate new business from prospective customers. SOC 3 reports can also be publicly presented on a company’s website.
SOC AUDITS AT A GLANCE
|Type of SOC Audit||SOC 1||SOC 2||SOC 3|
|Intended user||Financial Auditors and officers of the user entities||Users interested in the organizations adherence to Trust Principles (those served by the organization)||Owners interested in the organization’s adherence to Trust Categories, specifically for marketing the organization|
|AICPA Guidance||SSAE 18||AT 101 and AICPA Guide||AT 101 and AICPA TPA|
|Audit Opinion for Type 1 reports||
||N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported|
|Audit Opinion for Type 2 reports||Controls are operating effectively during period in review||Controls are operating effectively during period in review||N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported|
|Who can use the audit?||Restricted to users that already have an understanding of the service organization and its controls||Restricted to users that already have an understanding of the service organization and its controls||General use, can be distributed freely|
|Control objectives||Defined by client||Categories based on AT 101:
|Categories based on AT 101:
Salt Lake City, UT
9065 S. 1300 E.
Sandy, UT 84094
Spanish Fork, UT
765 N Main
Spanish Fork, UT 84660
285 S. 400 E.
Moab, UT 84532
St. George, UT
321 N Mall Drive, Bldg. R
St.George, UT 84790
Las Vegas NV
Larson, Swan + Gardiner
9005 W Sahara Ave
Las Vegas, NV 89117