Bowman & Company LLP is ready to assist you by providing Service Organization Controls (SOC) readiness assessments and SOC reports. We can help you decide which type of report best meets your needs and those of your customers.
Since 1939, Bowman & Company LP has provided professional auditing and accounting services to our clients. Our size and varied industry experience sets us apart from other firms providing such services.
Learn more about SOC Reports:
Effective June 15, 2011, “SOC” Reports replaced SAS 70 reports. SOC reporting engagements result in three types of reports which address the policies, procedures and controls of an organization that processes transactions for others. The report provides reasonable assurance about the accuracy of the description of the organization’s control procedures, their appropriateness and, in certain cases, their operating effectiveness. To issue a report, an auditor reviews management’s control objectives and procedures.
Both SOC 1 and SOC 2 reports are available in Type 1 (controls are properly designed, in place and documented at a point in time) or Type 2 (controls are properly designed, in place, documented and are operating effectively over a period of time).
The change from SAS 70 to SOC Reports was primarily designed to align with international accounting standards. However, the change also provides options for companies that do not process financial transactions, but require assurance reporting as part of their services offering for their customers.
SOC 1 Report: What is it?
Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under AT Section 801, Reporting on Controls at a Service Organization. This report replaces the traditional SAS 70 report. SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
There are two types of SOC 1 reports:
SOC 2 Report: What is it?
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued, and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system principles:
SOC 3 Report: What is it?
Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. SOC 3 reports can also be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy). The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website.