Systems and Organization Controls (SOC) Audit Services

SOC Audit Reports are a series of comprehensive internal control reports that can only be prepared by a licensed CPA firm. SOC audits provide organizations with valuable information that users need to assess the risks associated with their financial and operational access to systems and data. The information included in a SOC report is utilized to both establish trust and provide transparency to users of the report — which typically includes clients and their auditors.

If you utilize third-party vendors to process or store data, are you aware of their IT and business process controls, and how secure your information may be? If not, you might want to ask to see their SOC audit report.

At Withum, we provide a full–range of SOC Audit Services, including SOC for Cybersecurity. Our SOC audit experts are well-versed in the important changes and additional responsibilities that organizations must address when planning to undergo an AICPA SOC examination. These members have the distinction of being recognized as the leading SOC specialists in the country by the Oversight Task Forces of the AICPA Peer Review Board.

We understand that your time and employee resources are limited. We also know that one-size does not fit all, as controls are only sustainable when they align realistically with the needs of the organization. Our efficient, customized work programs are designed to fit your business model, allowing you to develop realistic and sustainable best-practice methodologies.

We aid the organizations we work with in understanding the different internal control reporting options that are available (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), and which option(s), if any, are ideal for their particular scenario, including client, regulatory, and business needs.

A SOC 1^SMAudit Report covers internal controls over financial reporting.

The SOC 1^SMAudit Report (formerly referred to as SSAE 16 and SAS 70) is intended to evaluate the effect of the internal controls at a service organization on the user entities’ financial statement assertions. SOC 1^SMaudit reports have become an essential tool for businesses to use for the purpose of assessing the risks associated with their service organizations. Additionally, this is used as a tool to comply with industry laws and regulations, such as the Sarbanes-Oxley Act, and for their entities’ auditors as they plan and perform audits of financial statements.

The standard that the SOC 1^SMaudit is based on is SSAE 18, which is closely aligned with the International Standard on Assurance Engagements (ISAE) 3402. The ISAE 3402 standard is commonly included within a SOC 1^SMreport for third-party Service Organizations that have international clients.

The SOC 2 is a restricted use SOC Audit Report covering the controls at a service organization relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy.

The framework for the SOC 2^SMaudit report was established to provide a means for Service Organizations to obtain an independent assessment of their internal control environment and supporting controls when they were providing a service other than financial reporting. A SOC 2^SMaudit report enables Service Organizations to provide an in-depth look at their internal controls related to Security, Availability, Processing Integrity, Confidentiality and/or Privacy that they have implemented to support the service they are providing. These SOC reports give stakeholders a:

• Thorough understanding of the Service Organization
• An understanding of the service being provided
• Internal controls relating to that service

This empowers stakeholders to evaluate their Service Organization, and maintain better oversight of the organizations they already do business with.

The SOC 2^SMframework utilizes the Trust Services Criteria (also referred to as TSC) as a basis for evaluating a Service Organization’s controls. The TSC was established by the AICPA Assurance Services Executive Committee (ASEC). Service Organizations are able to select one or more categories to include within a SOC 2^SMreport, with Security being required to be included as one of the categories. A SOC 3^SMAudit utilizes the same framework, but the SOC 2^SMaudit is a restricted use report (restricted to entities such as prospective users, existing user, user auditor, and regulators), while a SOC 3^SMis unrestricted for distribution. A SOC 3^SMaudit report is much less detailed in nature.

The SOC 3 is a general use SOC Audit Report covering the internal controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

A SOC 3^SMaudit report follows the same general process as a SOC 2^SMaudit report. SOC 3^SMreports are not commonly used in practice due to the limited nature of the value that the report provides for user auditors and for due diligence purposes. A SOC 3^SMcan only be obtained in combination with a SOC 2^SMreport. This allows the Service Organization to have the benefit of a descriptive SOC 2^SMreport, with details of their controls, while also having a SOC 3^SMthat can be included on that Service Organization’s website for marketing purposes. Due to the fact SOC 2^SMand SOC 3^SMutilize the same framework, control testing can be executed once and utilized for both reports.

A SOC Audit Report covering an organization’s enterprise-wide cybersecurity risk management program.

Are you confident in the design and effectiveness of your organization’s cybersecurity risk management program? The SOC for Cybersecurity attestation is a reporting framework established by the AICPA that enables an organization to evaluate their cybersecurity risk management program. An organization can choose to have its cybersecurity risk management program assessed on an entity-wide basis or for a specific division. This reporting framework allows organizations to report on their cybersecurity management programs with credibility to both internal and external stakeholders. The report allows organizations to communicate relevant, useful information around their cybersecurity compliance program with the credibility of a certified, independent examination report.