If you utilize third-party vendors to process or store data, are you aware of their IT and business process controls, and how secure your information may be? If not, you might want to ask to see their SOC audit report.
At Withum, we provide the full-range of SOC Audit Report Services, including SOC for Cybersecurity. Our SOC audit experts are well-versed in the important changes and additional responsibilities placed upon organizations planning on undergoing an AICPA SOC examination. These members have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.
Withum’s SOC Team can put you in a position of strength and provide you with the SOC audit services you need. We understand that your time and employee resources are limited. We also know that one-size does not fit all, as controls are only sustainable when they fit realistically with the needs of the organization. Our efficient customized work programs are designed to fit your business model, so you can develop realistic and sustainable best-practice methodologies.
We aid the organizations we work with in understanding the different internal control reporting options that are available (1, 2, 3 and Cybersecurity), and which option(s), if any, is ideal for their particular scenario, including client, regulatory, and business needs.
The SOC 1SMAudit Report (formerly referred to as SSAE 16 and SAS 70) is intended to evaluate the effect of the internal controls at a service organization on the user entities’ financial statement assertions. SOC 1SM audit reports have become an essential tool for businesses to use for the purpose of assessing the risks associated with their service organizations. Additionally, this is used as a tool to comply with industry laws and regulations, such as the Sarbanes-Oxley Act, and for their entities’ auditors as they plan and perform audits of financial statements.
The standards that the SOC 1SM audit is based off of is SSAE 18, which is closely aligned with the International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1SM report for third-party Service Organizations that have international clients.
The framework for the SOC 2SM audit report was established to provide a means for Service Organizations to obtain an independent assessment of their internal control environment and supporting controls when they were providing a service other than financial reporting. A SOC 2SM audit reports enable Service Organizations to provide an in-depth look at their internal controls related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy that they have implemented to support the service they are providing. SOC 2SM reports give stakeholders a:
This empowers stakeholders to evaluate their Service Organization, and maintain better oversight of the organizations they already do business with.
The SOC 2SM framework utilizes the Trust Services Criteria (also referred to as TSP) as a basis for evaluating a Service Organization’s controls. The TSP was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more TSP to include within a SOC 2SM report, with Security being required to be included as one of the TSP. A SOC 3SM Audit utilizes the same framework, but the SOC 2SM audit is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3SM is unrestricted for distribution. A SOC 3SM audit report is much less detailed in nature.
A SOC 3SM audit report follows the same general process as a SOC 2SM audit report. SOC 3SM reports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and for due diligence purposes. A SOC 3SM can only be obtained in combination with a SOC 2SM report. This allows the Service Organization to have the benefit of a descriptive SOC 2SM report, with details of their controls, while also have a SOC 3SM that can be included on that Service Organization’s website for marketing purposes. Due to the fact SOC 2SM and SOC 3SM utilize the same framework, control testing can be executed once and utilized for both reports.
Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? The SOC for Cybersecurity attestation is a new reporting framework established by the AICPA that enables an organization to evaluate their cybersecurity risk management program. An organization can choose to have their cybersecurity risk management program assessed on an entity-wide basis or for a specific division. This reporting framework allows organizations to report on their cybersecurity management programs to internal and external stakeholders with credibility. The report allows organizations to communicate relevant, useful information around their cybersecurity compliance program with the credibility of a certified, independent examination report. Want to learn more? Check out our SOC for Cybersecurity FAQs!
Withum’s SOC Team is among the first to be accredited with the SOC for Cybersecurity compliance certification. In fact, the AICPA has retained Withum to present the first SOC for Cybersecurity Certificate training course for practitioners. We have seven team members who have achieved the AICPA SOC for Cybersecurity digital badge and are qualified to consult on, and audit an entities cybersecurity risk management program.
The SOC team is among the few to have all of the SOC accreditations. Fill in the form below and our team will be in touch.