Which SOC Is The Right Fit For You?
IT + SOC Audits
We can help you gain the trust that is needed for a synergistic business relationship.
As businesses become more interdependent on each other to stay competitive in their industries, a trusting relationship is critical. At Larson & Company, we specialize in providing Systems and Organization Control Audit Reports (SOC) to help service organizations promote their company’s internal controls to user entities. Our seasoned auditors and certified public accountants are dedicated to helping you get the SOC that is right for you and your business. Let us help you understand the differences between each type of SOC and assess which report matches your business’s needs and goals. For more information on SOC audits, we welcome you to email Cameron Hodson.
if you provide one of these services to another organization,
a SOC audit may apply to you:
PAYROLL SERVICES
IT & WEB HOSTING
EMPLOYEE BENEFITS
CLAIMS PROCESSING
PAYMENT PROCESSING
MORTGAGE SERVICING
DATA ANALYTICS
ADDRESS VERIFICATION
APPRAISAL MANAGEMENT
- SOCS AT A GLANCE
- SOC 1
- SOC 2
- SOC 3
SOC AUDITS AT A GLANCE
Wondering if a SOC audit is right for your company? Curious about which SOC is used for which purpose? Here's an overview of the differences and similarities for all SOC types of audits.
| Type of SOC Audit | SOC 1 | SOC 2 | SOC 3 |
|---|---|---|---|
| Intended user | Financial Auditors and officers of the user entities | Users interested in the organization's adherence to Trust Categories (those served by the organization) | Owners interested in the organization’s adherence to Trust Categories, specifically for marketing the organization |
| AICPA Guidance | SSAE 18 and AT-C 320 | AT -C 105, 205, and AICPA Guide | AT-C 105, 205, and AICPA Guide |
| Audit Opinion for Type 1 reports |
|
|
N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported |
| Audit Opinion for Type 2 reports | Controls are operating effectively during period in review | Controls are operating effectively during period in review | N/A – we report our opinions on whether service organization maintained effective controls over its system as it relates to the trust services categories being reported |
| Who can use the audit? | Restricted to users that already have an understanding of the service organization and its controls | Restricted to users that already have an understanding of the service organization and its controls | General use, can be distributed freely |
| Control objectives | Defined by client | Categories based on AICPA Audit Guide:
|
Categories based on AICPA Audit Guide:
|
SOC 1 AUDITS
SOC 1 audits are audits of internal controls of a service organization in accordance with Statements on Standards for Attestation Engagements (SSAE) as codified into AICPA Attestation Standards (AT-C 320). The most recent major change to standards was implemented by SSAE No. 18, Reporting on Controls at a Service Organization. These reports are intended for entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). The control objectives that are deemed to be important to the user entities and audited by the SOC auditor are usually defined by the service organization. Because the users of these reports are interested in the financial controls of the service organization, most control objectives selected are related to control objectives that are relevant to financial processes. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
BENEFIT
As more services are becoming outsourced to other companies, the reliance on service organizations’ controls has increased to ensure the processing integrity, fraud deterrence, and reporting accuracy of businesses are maintained. Obtaining these reports will put customers of service organizations at ease and increase synergy between business partnerships.
SOC 2 AUDITS
SOC 2 audits are audits of internal controls of a service organization in accordance with the AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended for use by a broader range of users that need information and assurance about the controls that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of information processed by the system.
A SOC 2 audit can have up to five (5) categories of controls. It must include controls related to security. The additional categories that could be selected by the service organization for testing are:-
-
- Availability
- Processing Integrity
- Confidentiality
- Privacy
-
Determining the relevant categories depends on the commitments the service organization has made to customers and the type of services provided. After these categories to be audited are identified, the auditor will review the internal controls of the organization to determine if they meet the criteria associated with the categories as specified by the AICPA Guide. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
BENEFIT
As the exchange of information between businesses is becoming more prevalent, the commitment and trust between companies can be severed if service organizations are not maintaining adequate controls over the Security, Availability, Processing Integrity, Confidentiality, or Privacy of its systems. Obtaining these reports will allow a service organization to maintain and fortify trust with its user entities and enhance their trust with one another.
SOC 3 AUDITS
SOC 3 audits are audits of internal controls of a service organization in accordance with The AICPA, Trust Services Categories, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Unlike SOC 2 reports, a SOC 3 Audit is generally done by a service organization to measure their level of adherence to the Trust Services Categories to market themselves to potential users. The categories that can be selected for testing by the service organization are the same as SOC 2 audits:
- Security (always included)
- Availability
- Processing Integrity
- Confidentiality
- Privacy
These reports are not restricted and can be freely distributed for marketing purposes. Because of the general use nature of these reports, audit procedures performed are usually more extensive and involved. SOC 3 audits may also require the audit of the service organization’s vendors.
BENEFIT
Obtaining a SOC 3 audit report will not only help promote trust with current customers, but can also effectively differentiate a company from that of other competitors and give the boost a company may need to generate new business from prospective customers. SOC 3 reports can also be publicly presented on a company’s website.
.png)
