SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for System and Organizations (organizations that provide certain functions for other entities on an outsourced basis) the SOC Audit reports are typically required by and provided to the customers of the service organizations.
SOC Audits have only been available since mid-2011. Prior to that time, the audit standard that was available for service organizations was SAS 70. SAS 70 audit reports were developed in the early 1990s to fill a need for the types of outsourced services that were prevalent then. The business process and information technology outsourcing landscape have changed significantly since the 1990s and the needs of the current market place were not being properly addressed by the old SAS 70 reports. To meet the needs of the current marketplace, three primary types of SOC reports are now available. A SOC 1 report is focused on internal controls over financial reporting and is the closest reporting standard to the former SAS 70. This option is suited to service organizations which process financial data or financial related data for their customers. SOC 2 and SOC 3 reports are focused on controls related to compliance or operations and address issues such as security, availability, processing integrity, confidentiality, and privacy. SOC 2 and SOC 3 audit reports address the concerns of user entities that utilize service organization to provide services that are not related to financial reporting. Typical examples are data hosting, software-as-a-service (SaaS) or cloud-based entities.
Organizations that are considering engaging an auditor to conduct one of these specialized audits need to make the right choice. Making the correct decision for your situation can only be assured by consulting with an expert in this highly specialized audit area. Withum’s SOC audit specialists would be pleased to discuss your particular fact pattern, and help you determine the appropriate SOC engagement and engagement scope that will best meet your needs and the requirement of your customers – be sure to pick the SOC that fits!