Which SOC Is The Right Fit For You?

Do you provide a service to another organization?

These services may include:

Claims Processing

Payment Processing

Mortgage Servicing

We can help you gain the trust that is needed for a synergistic business relationship.

As businesses become more interdependent on each other to stay competitive in their industries, a trusting relationship is critical. At Larson & Company, we specialize in providing Service Organization Control Audit Reports (SOC) to help service organizations promote their company’s internal controls to user entities. Our seasoned auditors and certified public accountants are dedicated to helping you get the SOC that is right for you and your business. Let us help you understand the differences between each type of SOC and assess which report matches your business’s needs and goals. For more information on SOC audits, we welcome you to email Andrew Wan or call 801-984-1829.

Select a SOC to learn more about each report

SOC 1 AUDITS

SOC 1 audits are audits of internal controls of a service organization in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization. These reports are intended for use by the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). The control objectives that are deemed to be important to the user entities and audited by the SOC auditor are usually defined by the service organization. Because the users of these reports are interested in the financial controls of the service organization, most control objectives selected are related to control objectives that are relevant to financial processes. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

Benefit

As more services are becoming outsourced to other companies, the reliance of service organizations’ controls has increased to ensure the processing integrity, fraud deterrence, and reporting accuracy of businesses are maintained. Obtaining these reports will put worrisome customers of service organizations at ease and increase synergy between business partnerships.

SOC 2 AUDITS

SOC 2 audits are audits of internal controls of a service organization in accordance with the AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended for use by a broader range of users that need information and assurance about the controls that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of information processed by the system.

The categories that are relevant to user entities will be identified by a client, or user, of the organization who wishes to ensure safety through the service organization’s systems. After these categories to be audited are identified, the auditor will review the internal controls of the organization to determine if they meet the criteria associated with the categories that are specified by the AICPA Guide. The categories that could be selected by the user organization for testing are:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

Benefit

As the exchange of information between businesses is becoming more prevalent, the commitment and trust between companies can be severed if service organizations are not maintaining adequate controls over the Security, Availability, Processing Integrity, Confidentiality, or Privacy of its systems. Obtaining these reports will allow a service organization to maintain and fortify trust with its user entities and enhance their trust with one another.

SOC 3 AUDITS

SOC 3 audits are audits of internal controls of a service organization in accordance with The AICPA, Trust Services Categories, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Unlike SOC 2 reports, a SOC 3 Audit is generally done by a service organization to measure their level of adherence to the Trust Services Categories to market themselves to potential users. The categories that can be selected for testing by the service organization are the same as SOC 2 audits:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

These reports are not restricted and can be freely distributed for marketing purposes. Because of the general use nature of these reports, audit procedures performed are usually more extensive and involved. SOC 3 audits may also require the audit of the service organization’s vendors.

Benefit

Obtaining a SOC 3 audit report will not only help promote trust with current customers, but can also effectively differentiate a company from that of other competitors and give the boost a company may need to generate new business from prospective customers. SOC 3 reports can also be publicly presented on a company’s website.

SOC AUDITS AT A GLANCE

Type of SOC Audit SOC 1 SOC 2 SOC 3
Intended user Financial Auditors and officers of the user entities Users interested in the organizations adherence to Trust Principles (those served by the organization) Owners interested in the organization’s adherence to Trust Categories, specifically for marketing the organization
AICPA Guidance SSAE 18 AT 101 and AICPA Guide AT 101 and AICPA TPA
Audit Opinion for Type 1 reports
  • Fair description of controls and its implementation
  • Controls were suitably designed
  • Fair description of controls and its implementation
  • Controls were suitably designed
N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported
Audit Opinion for Type 2 reports Controls are operating effectively during period in review Controls are operating effectively during period in review N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported
Who can use the audit? Restricted to users that already have an understanding of the service organization and its controls Restricted to users that already have an understanding of the service organization and its controls General use, can be distributed freely
Control objectives Defined by client Categories based on AT 101:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

 

Categories based on AT 101:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

 

Our team of experts is ready to serve you!

OUR LOCATIONS

Salt Lake City, UT
9065 S. 1300 E.
Sandy, UT 84094

(801) 313-1900

Spanish Fork, UT
765 N Main
Spanish Fork, UT 84660

(801) 798-3545

Moab, UT
285 S. 400 E.
Moab, UT 84532

(435) 259-9100

St. George, UT
321 N Mall Drive, Bldg. R
St.George, UT 84790

(435) 674-6789

Las Vegas NV
Larson, Swan + Gardiner

9005 W Sahara Ave
Las Vegas, NV 89117

(702) 869-9700

Larson & Company | 2018 AMPLIFYONLINE

small larson color strip