SOC Audit Services

What SOC Fits Your Organization

System and Organization Controls (SOC) audit reports provide organizations with valuable information that users need to assess the risks associated with financial and operational access to systems and data.

Do you utilize third party vendors to process or store data? Are you aware of their IT and business process controls and how secure they are with your information and access to your systems?

Our SOC experts are well-versed in the important changes and additional responsibilities placed upon organizations planning on undergoing a SOC examination and have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.

Withum’s SOC Team can put you in a position of strength. We understand that your time and employee resources are limited. We also know that compliance is only sustainable when it fits realistically with the needs of the organization. Our efficient customized work programs are designed to fit your business model, so you can develop realistic and sustainable best-practice methodologies.

SOC 1^SM

Report on controls at a service organization relevant to user entities' internal control over financial reporting.

SOC 1^SM (formerly referred to as SSAE 16 and SAS 70) reports are intended to evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. SOC 1 reports have become an essential tool for organizations to use for the purpose of compliance with laws and regulations, such as the Sarbanes-Oxley Act and for the user entities’ auditors as they plan and perform audits of financial statements.

The standards that the SOC 1^SM is based off, SSAE 18, is closely aligned with the international standard, International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1SM report for third-party Service Organizations that have international clients to address their audit requirements as well.

Within SOC 1^SM reports there are three service options that can be provided by Withumn>

SOC 2^SM

Reporting on controls at a service organization relevant to security, availability, processing, integrity, confidentiality or privacy.

The framework for SOC 2^SM was established to provide a means for Service Organizations to obtain an independent assessment of their control environment and supporting controls when they were providing a service on a subject matter other than financial reporting. SOC 2SM reports enable Service Organizations to provide an in-depth look at the controls related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy that they have implemented to support the service they are providing. These reports give stakeholders a thorough understanding of the Service Organization, the service being provided, internal controls relating to that service; thus, empowering the stakeholders to evaluate their Service Organizations and maintain better oversight as to the organizations they are to do business with or already do business with.

The framework utilized for SOC 2^SM reporting is called the Trust Services Criteria (also referred to as TSP). The TSP was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more TSP to include within a SOC 2^SM report, with Security being required to be included as one of that TSP due to the fact that Security is considered foundational within the framework. SOC 3^SM utilizes the same framework; however, the primary differentiating factor is that the SOC 2^SM report is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3^SM is unrestricted for distribution. Based on the distribution, the SOC 3^SM report is much less detailed in nature.

Within SOC 2^SM reports there are three service options that can be provided by Withum

SOC 3^SM

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy: General Use Report

SOC 3^SM reports following the same general process as SOC 2^SM reports; therefore, the associated service offerings with SOC 2^SM apply to SOC 3^SM reporting services provided by Withum. SOC 3^SM reports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and due diligence purposes. When a Service Organization chooses to obtain a SOC 3^SM report it is typically in combination with obtaining a SOC 2^SM report so that they can take advantage of the benefits of both reports without duplication of control testing; considering the control testing executed in both SOC 2^SM and SOC 3^SM can be performed once and utilized for both reports

SOC for Cybersecurity

Reporting on an Organizations’ Enterprise-Wide Cybersecurity Risk Management Program

Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? SOC for Cybersecurity attestation is a new entity-wide cybersecurity audit that allows organizations to report on their cybersecurity management programs to internal and external stakeholders with credibility. The report allows organizations to communicate relevant, useful information around their cybersecurity risk management program with the credibility of a certified, independent examination report. SOC for Cybersecurity FAQs 

Withum’s SOC team is among the first to be accredited with the SOC for Cybersecurity certification. In fact, the AICPA has retained Withum to present the first SOC for Cybersecurity Certificate training course for practitioners and has seven team members who have achieved the SOC for Cybersecurity digital badge and are qualified to consult on and audit an entities cybersecurity risk management program.