SOC Audit Services

System and Organization Controls (SOC) Audit Reports are a series of comprehensive internal control reports that can only be prepared by a licensed CPA firm. SOC audits provide organizations with valuable information that users need to assess the risks associated with their financial and operational access to systems and data. The information included in a SOC report is utilized to both establish trust and provide transparency to users of the report — which typically includes clients and their auditors.

If you utilize third-party vendors to process or store data, are you aware of their IT and business process controls, and how secure your information may be? If not, you might want to ask to see their SOC audit report.

At Withum, we provide the full-range of SOC Audit Report Services, including SOC for Cybersecurity. Our SOC audit experts are well-versed in the important changes and additional responsibilities placed upon organizations planning on undergoing an AICPA SOC examination. These members have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.

Withum’s SOC Team can put you in a position of strength and provide you with the SOC audit services you need. We understand that your time and employee resources are limited. We also know that one-size does not fit all, as controls are only sustainable when they fit realistically with the needs of the organization. Our efficient customized work programs are designed to fit your business model, so you can develop realistic and sustainable best-practice methodologies.

We aid the organizations we work with in understanding the different internal control reporting options that are available (1, 2, 3 and Cybersecurity), and which option(s), if any, is ideal for their particular scenario, including client, regulatory, and business needs.

A SOC 1^SMAudit Report covers internal controls over financial reporting.

The SOC 1^SMAudit Report(formerly referred to as SSAE 16 and SAS 70) is intended to evaluate the effect of the internal controls at a service organization on the user entities’ financial statement assertions. SOC 1^SMaudit reports have become an essential tool for businesses to use for the purpose of assessing the risks associated with their service organizations. Additionally, this is used as a tool to comply with industry laws and regulations, such as the Sarbanes-Oxley Act, and for their entities’ auditors as they plan and perform audits of financial statements.

The standard that the SOC 1^SMaudit is based on is SSAE 18, which is closely aligned with the International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1^SMreport for third-party Service Organizations that have international clients.

The SOC 2 is a restricted use SOC Audit Report covering the controls at a service organization relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy.

The framework for the SOC 2^SMaudit reportwas established to provide a means for Service Organizations to obtain an independent assessment of their internal control environment and supporting controls when they were providing a service other than financial reporting. A SOC 2^SMaudit report enables Service Organizations to provide an in-depth look at their internal controls related toSecurity, Availability, Processing Integrity, Confidentiality and/or Privacythat they have implemented to support the service they are providing. SOC 2^SMreports give stakeholders a:

This empowers stakeholders to evaluate their Service Organization, and maintain better oversight of the organizations they already do business with.

The SOC 2^SMframework utilizes the Trust Services Criteria (also referred to as TSP) as a basis for evaluating a Service Organization’s controls. The TSP was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more TSP to include within a SOC 2^SMreport,with Security being required to be included as one of the TSP.A SOC 3^SMAudit utilizes the same framework, but the SOC 2^SMaudit is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3^SMis unrestricted for distribution. A SOC 3^SMaudit report is much less detailed in nature.

The SOC 3 is a general use SOC Audit Report covering the internal controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

A SOC 3^SMaudit report follows the same general process as a SOC 2^SMaudit report. SOC 3^SMreports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and for due diligence purposes. A SOC 3^SMcan only be obtained in combination with a SOC 2^SMreport. This allows the Service Organization to have the benefit of a descriptive SOC 2^SMreport, with details of their controls, while also have a SOC 3^SMthat can be included on that Service Organization’s website for marketing purposes. Due to the fact SOC 2^SMand SOC 3^SMutilize the same framework, control testing can be executed once and utilized for both reports.

A SOC Audit Report covering an organization’s enterprise-wide cybersecurity risk management program.

Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? The SOC for Cybersecurity attestationis a new reporting framework established by the AICPA that enables an organization to evaluate their cybersecurity risk management program. An organization can choose to have their cybersecurity risk management program assessed on an entity-wide basis or for a specific division. This reporting framework allows organizations to report on their cybersecurity management programs to internal and external stakeholders with credibility. The report allows organizations to communicate relevant, useful information around their cybersecurity compliance programwith the credibility of a certified, independent examination report.Want to learn more? Check out our SOC for Cybersecurity FAQs!

Withum’s SOC Team is among the first to be accredited with the SOC for Cybersecurity compliance certification. In fact, the AICPA has retained Withum to present the first SOC for Cybersecurity Certificate training course for practitioners. We have seven team members who have achieved the AICPA SOC for Cybersecurity digital badgeand are qualified to consult on, and audit an entities cybersecurity risk management program.