Service Organization Control ("SOC") Audit
In today's regulatory-intense marketplace, third party service organizations are noticing more user organization RFPs that require an SOC 1 or SOC 2 audit report to assert that internal controls are appropriately designed and operating effectively, with the primary goal of protecting user organization data and transactions. Those service organizations that can provide an SOC 1 or SOC 2 audit report from an independent CPA firm can differentiate themselves in the marketplace and demonstrate a strong commitment to protecting user organization assets.
Quasar Associates can assist you with your SOC audit readiness and compliance efforts. Our team of experienced associates will provide education regarding SOC audit requirements, assist with readiness assessment, conduct the actual SOC audit, and deliver a corresponding SOC audit report. Our goal is to help you execute your SOC audit in an efficient, affordable manner that will not disrupt your business.
What is an SOC 2 Audit?
A Service Organization Control 2 Audit (“SOC 2 Audit”) is conducted by an independent CPA audit firm under the American Institute of Certified Public Accountants (“AICPA”) audit standards. An SOC 2 Audit Report is intended to meet the needs of a broad range of user organizations that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems.
One or more of the AICPA Trust Service Principles (“TSPs”) must be included in a SOC 2 report. These TSPs are:
There are two types of SOC 2 reports:
Type I - Officially known as a "Report on Controls Placed in Operation" or an Type I SOC 2 Audit Report, this audit provides an independent verification by a licensed CPA firm as to whether control activities described by the service organization are suitably designed to meet specified control objectives and whether the controls were in place as of a specified review date.
In a Type I SOC 2 audit, the audit firm is verifying that the relevant controls were placed in operation as of a specified date. However, the Type I audit does not verify the operating effectiveness of the controls by testing them over a period of time.
Type II - Officially known as a "Report on Controls Place in Operation and Tests of Operating Effectiveness" or a Type II SOC 2 Audit Report, this audit provides independent third party verification by a licensed CPA firm as to whether control activities described by a service organization are suitably designed to meet specified control objectives and were in place and operating effectively over a period of time that is typically at least a six month period.
What is an SOC 3 Audit?
An SOC 3 Audit is essentially the same as an SOC 2 Audit, but the audit firm is asked to provide a brief summary report that can be freely distributed to anyone or any company (conversely, an SOC 2 Audit Report is considered a "restricted use" audit report and should only be districuted to authorized user organization clients). However, the underflying required audit work is the same for both the SOC 2 and SOC 3 Audit Reports. As a result, most service organizations simply request an SOC 2 Audit, as the accompanying audit report contains a detailed description of the service organization's systems and internal controls, including detailed results of testing, and can be distributed on an individual company basis to those clients that are authorized to receive the detailed report.
Benefits of an SOC 2 Audit
An SOC 2 audit offers many potential benefits to service organizations, such as the following: