System and Organization Controls (SOC) audit reports provide organizations valuable information that users need to assess the risks associated with financial and operational access to systems and data.
Do you utilize third party vendors to process or store data? Are you aware of their IT and business process controls and how secure they are with your information and access to your systems?
Our SOC experts are well-versed in the important changes and additional responsibilities placed upon organizations planning on undergoing a SOC examination and have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.
Withum’s SOC Team can put you in a position of strength. We understand that your time and employee resources are limited. We also know that compliance is only sustainable when it fits realistically with the needs of the organization. Our efficient customized work programs are designed to fit your business model, so you can develop realistic and sustainable best-practice methodologies.
SOC Audit Reports
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
SOC 1SM (formerly referred to as SSAE 16 and SAS 70) reports are intended to evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. SOC 1 reports have become an essential tool for organizations to use for the purpose of compliance with laws and regulations, such as the Sarbanes-Oxley Act and for the user entities’ auditors as they plan and perform audits of financial statements.
The standards that the SOC 1SM is based off, SSAE 18, is closely aligned with the international standard, International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1SM report for third-party Service Organizations that have international clients to address their audit requirements as well.
Within SOC 1SM reports there are three service options that can be provided by Withum.
Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
The framework for SOC 2SM was established to provide a means for Service Organizations to obtain an independent assessment of their control environment and supporting controls when they were providing a service on a subject matter other than financial reporting. SOC 2SM reports enable Service Organizations to provide an in-depth look at the controls related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy that they have implemented to support the service they are providing. These reports give stakeholders a thorough understanding of the Service Organization, the service being provided, internal controls relating to that service; thus, empowering the stakeholders to evaluate their Service Organizations and maintain better oversight as to the organizations they are to do business with or already do business with.
The framework utilized for SOC 2SM reporting is called the Trust Services Criteria (also referred to as TSP). The TSP was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more TSP to include within a SOC 2SM report, with Security being required to be included as one of those TSP due to the fact that Security is considered foundational within the framework. SOC 3SM utilizes the same framework; however, the primary differentiating factor is that the SOC 2SM report is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3SM is unrestricted for distribution. Based on the distribution, the SOC 3SM report is a much less detailed in nature.
Within SOC 2SM reports there are three service options that can be provided by WithumSmith+Brown.
Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy: General Use Report
SOC 3SM reports following the same general process as SOC 2SM reports; therefore, the associated service offerings with SOC 2SM apply to SOC 3 SM reporting services provided by WithumSmith+Brown. SOC 3SM reports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and due diligence purposes. When a Service Organization chooses to obtain a SOC 3SM report it is typically in combination with obtaining a SOC 2SM report so that they can take advantage of the benefits of both reports without duplication of control testing; considering the control testing executed in both SOC 2SM and SOC 3SM can be performed once and utilized for both reports.
SOC for CybersecuritySM
Reporting on an Organizations’ Enterprise-Wide Cybersecurity Risk Management Program
Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? SOC for Cybersecurity attestation is a new entity-wide cybersecurity audit that allows organizations to report on their cybersecurity management programs to internal and external stakeholders with credibility. The report allows organizations to communicate relevant, useful information around their cybersecurity risk management program with the credibility of a certified, independent examination report. SOC for Cybersecurity FAQs
Withum’s SOC team is among the first to be accredited with the SOC for Cybersecurity certification. In fact, the AICPA has retained Withum to present the first SOC for Cybersecurity Certificate training course for practitioners and has seven team members who have achieved the SOC for Cybersecurity digital badge and are qualified to consult on and audit an entities cybersecurity risk management program.