What Is A SOC Audit Report?

System and Organization Controls (SOC) Audit Reports are a series of comprehensive internal control reports that can only be prepared by a licensed CPA firm. SOC audits provide organizations with valuable information that users need to assess the risks associated with their financial and operational access to systems and data. The information included in a SOC report is utilized to both establish trust and provide transparency to users of the report — which typically includes clients and their auditors.

If you utilize third-party vendors to process or store data, are you aware of their IT and business process controls, and how secure your information may be? If not, you might want to ask to see their SOC audit report.

Which SOC Audit Services Do You Need?

At Withum, we provide the full-range of SOC Audit Report Services, including SOC for Cybersecurity. Our SOC audit experts are well-versed in the important changes and additional responsibilities placed upon organizations planning on undergoing an AICPA SOC examination. These members have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.

Withum’s SOC Team can put you in a position of strength and provide you with the SOC audit services you need. We understand that your time and employee resources are limited. We also know that one-size does not fit all, as controls are only sustainable when they fit realistically with the needs of the organization. Our efficient customized work programs are designed to fit your business model, so you can develop realistic and sustainable best-practice methodologies.

We aid the organizations we work with in understanding the different internal control reporting options that are available (1, 2, 3 and Cybersecurity), and which option(s), if any, is ideal for their particular scenario, including client, regulatory, and business needs.

The SOC 1SM Audit Report

A SOC 1SMAudit Report covers internal controls over financial reporting.

The SOC 1SMAudit Report(formerly referred to as SSAE 16 and SAS 70) is intended to evaluate the effect of the internal controls at a service organization on the user entities’ financial statement assertions. SOC 1SMaudit reports have become an essential tool for businesses to use for the purpose of assessing the risks associated with their service organizations. Additionally, this is used as a tool to comply with industry laws and regulations, such as the Sarbanes-Oxley Act, and for their entities’ auditors as they plan and perform audits of financial statements.

The standard that the SOC 1SMaudit is based on is SSAE 18, which is closely aligned with the International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1SMreport for third-party Service Organizations that have international clients.

SOC 2 Audit Report

The SOC 2 is a restricted use SOC Audit Report covering the controls at a service organization relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy.

The framework for the SOC 2SMaudit reportwas established to provide a means for Service Organizations to obtain an independent assessment of their internal control environment and supporting controls when they were providing a service other than financial reporting. A SOC 2SMaudit report enables Service Organizations to provide an in-depth look at their internal controls related toSecurity, Availability, Processing Integrity, Confidentiality and/or Privacythat they have implemented to support the service they are providing. SOC 2SMreports give stakeholders a:

  • Thorough understanding of the Service Organization
  • An understanding of the service being provided
  • Internal controls relating to that service

This empowers stakeholders to evaluate their Service Organization, and maintain better oversight of the organizations they already do business with.

The SOC 2SMframework utilizes the Trust Services Criteria (also referred to as TSP) as a basis for evaluating a Service Organization’s controls. The TSP was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more TSP to include within a SOC 2SMreport,with Security being required to be included as one of the TSP.A SOC 3SMAudit utilizes the same framework, but the SOC 2SMaudit is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3SMis unrestricted for distribution. A SOC 3SMaudit report is much less detailed in nature.

SOC 3 Audit Report

The SOC 3 is a general use SOC Audit Report covering the internal controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

A SOC 3SMaudit report follows the same general process as a SOC 2SMaudit report. SOC 3SMreports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and for due diligence purposes. A SOC 3SMcan only be obtained in combination with a SOC 2SMreport. This allows the Service Organization to have the benefit of a descriptive SOC 2SMreport, with details of their controls, while also have a SOC 3SMthat can be included on that Service Organization’s website for marketing purposes. Due to the fact SOC 2SMand SOC 3SMutilize the same framework, control testing can be executed once and utilized for both reports.

SOC for Cybersecurity Report

A SOC Audit Report covering an organization’s enterprise-wide cybersecurity risk management program.

Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? The SOC for Cybersecurity attestationis a new reporting framework established by the AICPA that enables an organization to evaluate their cybersecurity risk management program. An organization can choose to have their cybersecurity risk management program assessed on an entity-wide basis or for a specific division. This reporting framework allows organizations to report on their cybersecurity management programs to internal and external stakeholders with credibility. The report allows organizations to communicate relevant, useful information around their cybersecurity compliance programwith the credibility of a certified, independent examination report.Want to learn more? Check out our SOC for Cybersecurity FAQs!

Withum’s SOC Team is among the first to be accredited with the SOC for Cybersecurity compliance certification. In fact, the AICPA has retained Withum to present the first SOC for Cybersecurity Certificate training course for practitioners. We have seven team members who have achieved the AICPA SOC for Cybersecurity digital badgeand are qualified to consult on, and audit an entities cybersecurity risk management program.

Need SOC Audit Consulting Services?

Contact one of our SOC auditors now to discuss which SOC Audit is right for you.

AICPA SOC Seal

Are you an organization seeking to have an assessment performed to obtain a SOC report? Learn how Withum can help you get the SOC Accounting Seal today.

Leadership

Anthony J. Chapman III

Partner

Princeton, NJ

Anurag Sharma

Partner

Princeton, NJ