SOC Frequently Asked Questions

SOC 1® Report:

What is it? Reports on controls at a service organization relevant to user entities’ internal control over financial reporting:

SOC 1® engagements are performed in accordance with the American Institute of Certified Public Accountants (AICPA), specifically AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting under Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

There are two types of SOC 1® Reports:

Type 1: A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specific date.

Type 2: A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specific period.

SOC 2® Report:

What is it? Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy:

SOC 2® engagements use the predefined criteria in TSP Section 100: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, as well as the requirements a SOC 2® report is similar to a SOC 1® report.   Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2® reports specifically address one or more of the following key system attributes:

Security: The system is protected against unauthorized access (both physical and logical).

Availability: The system is available for operation and use as committed or agreed.

Processing Integrity: System processing is complete, accurate, timely, and authorized.

Confidentiality: Information designed as confidential is protected as committed or agreed.

Privacy: Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice.

SOC 3® Report:

What is it? Trust services reports for service organizations:

SOC 3® engagements use the predefined criteria in TSP Section 100: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy that also are used in SOC 2® engagements. The key difference between a SOC 2® report and a SOC 3® report is that a SOC 2® report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system.

A SOC 3® report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3® seal on its website. SOC 3® reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

SOC for Cybersecurity:

What is it? A reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders.

 

Stay up-to-date

Remain informed and connected. Follow us and join our mailing list.

Savannah
Atlanta
Augusta
Miami
Tampa
Jacksonville
Orlando