Services - IT + SOC Audits

We can help you gain the trust that is needed for a synergistic business relationship.

As businesses become more interdependent on each other to stay competitive in their industries, a trusting relationship is critical. At Larson & Company, we specialize in providing Systems and Organization Control Audit Reports (SOC) to help service organizations promote their company’s internal controls to user entities. Our seasoned auditors and certified public accountants are dedicated to helping you get the SOC that is right for you and your business. Let us help you understand the differences between each type of SOC and assess which report matches your business’s needs and goals. For more information on SOC audits, we welcome you to email Cameron Hodson.

PAYROLL SERVICES

IT & WEB HOSTING

EMPLOYEE BENEFITS

CLAIMS PROCESSING

PAYMENT PROCESSING

MORTGAGE SERVICING

DATA ANALYTICS

ADDRESS VERIFICATION

APPRAISAL MANAGEMENT

SOCS AT A GLANCE
SOC 1
SOC 2
SOC 3

SOC AUDITS AT A GLANCE

Wondering if a SOC audit is right for your company? Curious about which SOC is used for which purpose? Here's an overview of the differences and similarities for all SOC types of audits.

Type of SOC Audit	SOC 1	SOC 2	SOC 3
Intended user	Financial Auditors and officers of the user entities	Users interested in the organization's adherence to Trust Categories (those served by the organization)	Owners interested in the organization’s adherence to Trust Categories, specifically for marketing the organization
AICPA Guidance	SSAE 18 and AT-C 320	AT -C 105, 205, and AICPA Guide	AT-C 105, 205, and AICPA Guide
Audit Opinion for Type 1 reports	Fair description of controls and its implementation Controls were suitably designed	Fair description of controls and its implementation Controls were suitably designed	N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported
Audit Opinion for Type 2 reports	Controls are operating effectively during period in review	Controls are operating effectively during period in review	N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported
Who can use the audit?	Restricted to users that already have an understanding of the service organization and its controls	Restricted to users that already have an understanding of the service organization and its controls	General use, can be distributed freely
Control objectives	Defined by client	Categories based on AICPA Audit Guide: Security Availability Processing integrity Confidentiality Privacy	Categories based on AICPA Audit Guide: Security Availability Processing integrity Confidentiality Privacy

SOC 1 AUDITS

SOC 1 audits are audits of internal controls of a service organization in accordance with Statements on Standards for Attestation Engagements (SSAE) as codified into AICPA Attestation Standards (AT-C 320). The most recent major change to standards was implemented by SSAE No. 18, Reporting on Controls at a Service Organization. These reports are intended for entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). The control objectives that are deemed to be important to the user entities and audited by the SOC auditor are usually defined by the service organization. Because the users of these reports are interested in the financial controls of the service organization, most control objectives selected are related to control objectives that are relevant to financial processes. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

BENEFIT

As more services are becoming outsourced to other companies, the reliance on service organizations’ controls has increased to ensure the processing integrity, fraud deterrence, and reporting accuracy of businesses are maintained. Obtaining these reports will put customers of service organizations at ease and increase synergy between business partnerships.

SOC 2 AUDITS

SOC 2 audits are audits of internal controls of a service organization in accordance with the AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended for use by a broader range of users that need information and assurance about the controls that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of information processed by the system.

A SOC 2 audit can have up to five (5) categories of controls. It must include controls related to security. The additional categories that could be selected by the service organization for testing are:

- - Availability
  - Processing Integrity
  - Confidentiality
  - Privacy

Determining the relevant categories depends on the commitments the service organization has made to customers and the type of services provided. After these categories to be audited are identified, the auditor will review the internal controls of the organization to determine if they meet the criteria associated with the categories as specified by the AICPA Guide. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

BENEFIT

As the exchange of information between businesses is becoming more prevalent, the commitment and trust between companies can be severed if service organizations are not maintaining adequate controls over the Security, Availability, Processing Integrity, Confidentiality, or Privacy of its systems. Obtaining these reports will allow a service organization to maintain and fortify trust with its user entities and enhance their trust with one another.

SOC 3 AUDITS

SOC 3 audits are audits of internal controls of a service organization in accordance with The AICPA, Trust Services Categories, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Unlike SOC 2 reports, a SOC 3 Audit is generally done by a service organization to measure their level of adherence to the Trust Services Categories to market themselves to potential users. The categories that can be selected for testing by the service organization are the same as SOC 2 audits:

Security (always included)
Availability
Processing Integrity
Confidentiality
Privacy

These reports are not restricted and can be freely distributed for marketing purposes. Because of the general use nature of these reports, audit procedures performed are usually more extensive and involved. SOC 3 audits may also require the audit of the service organization’s vendors.

BENEFIT

Obtaining a SOC 3 audit report will not only help promote trust with current customers, but can also effectively differentiate a company from that of other competitors and give the boost a company may need to generate new business from prospective customers. SOC 3 reports can also be publicly presented on a company’s website.

Answers to Questions We Know you Are Asking:

What is a SOC report, and why is it important?

Service Organization Controls Report (SOC) is an audit report issued by an independent auditor over the design and implementation of internal controls, and potentially the operating effectiveness of internal controls for a specified period of time. These reports may be required by third parties using the service organization’s services and can also help improve the overall security posture of the organization.

Also refer to our blog, "What is a SOC?" (January 13, 2016)

How often should a company renew its SOC report?

SOC reports are generally renewed annually, although certain industries or regulatory needs may require more frequent updates. The AICPA SOC seal can be displayed on the service organization’s website for up to 12 months following the date of its SOC report.

Also refer to our blog, “What Period Should My Type 2 SOC Report Cover?”

What are the main types of SOC reports (SOC 1, SOC 2, and SOC 3), and how do they differ?

SOC 1 focuses on financial reporting controls. SOC 2 emphasizes security, confidentiality, availability, processing integrity and privacy controls and may be expanded to address HIPPA or GDPR controls. SOC 3 is an abbreviated version of the SOC 2 report that can be more widely distributed for marketing and trust-building purposes.

See our list of SOC audit types.

What is the difference between SOC 2 Type 1 and Type 2 reports?

SOC 2 Type 1 reports on controls as of a specific date, while Type 2 assesses the effectiveness of those controls over time. The same difference is true of SOC 1 Type 1 versus SOC 1 Type 2.

Also refer to our blog, “Choosing between SOC 2 Reports and ISO/IEC 27001 Certification”

Who typically needs a SOC report?

Organizations that handle sensitive data, such as SaaS providers, healthcare, finance, and insurance companies, benefit most from SOC reports for regulatory and client trust purposes.

See our list of common service organization types.

What are the Trust Services Criteria in SOC 2?

SOC 2 reports are evaluated against criteria including security, availability, processing integrity, confidentiality, and privacy. Security must always be included and the other criteria may be added depending on the nature of commitments to customers.

Also refer to our blog, “Alert: New SOC 2 Trust Service Criteria”

How does a company prepare for a SOC audit?

A SOC readiness assessment helps organizations identify gaps in controls and improve them before an audit.

Preparation also includes reviewing current controls, identifying control owners, and gathering documentation.

Also refer to our blog, “How To Be SOC Ready!” and “Internal Audit Power: How Internal Audit Can Help Prepare for a SOC Audit”

What are the steps involved in a SOC audit process?

The SOC process involves planning, control testing, and reporting, each stage essential for thorough auditing.

How can companies address issues identified in a SOC audit?

You can still obtain a clean opinion on a report that contains exceptions. Very few SOC reports are issued with no exceptions. Larson & Company will make recommendations to help remediate any exceptions or improve the overall quality of controls.

How long does it typically take to complete a SOC audit?

The timeline varies depending on organization complexity, personal capacity and qualifications and SOC type. From readiness assessment to issuance, the process can take several months to complete.

Also refer to our blog, “How Long Does A SOC Exam Take?”

How does a SOC report differ from a cybersecurity risk assessment?

SOC reports are formalized audits with independent validation, while risk assessments are internal reviews to identify and respond to vulnerabilities.

Also refer to our blog, " Have you considered getting a System and Organization Controls Report (SOC) over your Cybersecurity Controls?”

How can a SOC report impact customer relationships and sales?

SOC reports can enhance credibility, making clients more comfortable working with an organization and improving sales by demonstrating commitment to security.

Also refer to our blog, "What is a SOC?" (January 13, 2016)

What is SOC readiness, and how can it benefit companies before a full audit?

SOC readiness assessments help companies identify and address gaps in controls before undergoing a full SOC audit. Contact us for a free 2-hour consultation.

Also refer to our blog, “How To Be SOC Ready!”

What is a Subservice Organization?

A vendor used by a service organization that performs controls necessary to achieve service commitments and system requirements is a subservice organizatino. E.g., a hosting provider for a title company. Subservice organizations and procedures to monitor them must be described in the SOC report.

Also refer to our blog, "Is my Vendor a Subservice Organization?”