SOC 2 Audit

Service Organization Control ("SOC") Audit

In today's regulatory-intense marketplace, third party service organizations are noticing more user organization RFPs that require an SOC 1 or SOC 2 audit report to assert that internal controls are appropriately designed and operating effectively, with the primary goal of protecting user organization data and transactions.  Those service organizations that can provide an SOC 1 or SOC 2 audit report from an independent CPA firm can differentiate themselves in the marketplace and demonstrate a strong commitment to protecting user organization assets. 

Quasar Associates can assist you with your SOC audit readiness and compliance efforts.  Our team of experienced associates will provide education regarding SOC audit requirements, assist with readiness assessment, conduct the actual SOC audit, and deliver a corresponding SOC audit report.  Our goal is to help you execute your SOC audit in an efficient, affordable manner that will not disrupt your business. 

What is an SOC 2 Audit?

A Service Organization Control 2 Audit (“SOC 2 Audit”) is conducted by an independent CPA audit firm under the American Institute of Certified Public Accountants (“AICPA”) audit standards.  An SOC 2 Audit Report is intended to meet the needs of a broad range of user organizations that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems.  

One or more of the AICPA Trust Service Principles (“TSPs”) must be included in a SOC 2 report. These TSPs are:

  • IT Security – The system is protected against unauthorized access, physically and logically.
  • Availability – The system is available for operation and use as committed to or agreed
  • Processing integrity – System processing is complete, accurate, timely and authorized
  • Confidentiality – Information designated as confidential is protected as committed to or agreed
  • Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (“GAPP”)

There are two types of SOC 2 reports:

Type I - Officially known as a "Report on Controls Placed in Operation" or an Type I SOC 2 Audit Report, this audit provides an independent verification by a licensed CPA firm as to whether control activities described by the service organization are suitably designed to meet specified control objectives and whether the controls were in place as of a specified review date.

In a Type I SOC 2 audit, the audit firm is verifying that the relevant controls were placed in operation as of a specified date.  However, the Type I audit does not verify the operating effectiveness of the controls by testing them over a period of time.

Type II - Officially known as a "Report on Controls Place in Operation and Tests of Operating Effectiveness" or a Type II SOC 2 Audit Report, this audit provides independent third party verification by a licensed CPA firm as to whether control activities described by a service organization are suitably designed to meet specified control objectives and were in place and operating effectively over a period of time that is typically at least a six month period.

What is an SOC 3 Audit?

An SOC 3 Audit is essentially the same as an SOC 2 Audit, but the audit firm is asked to provide a brief summary report that can be freely distributed to anyone or any company (conversely, an SOC 2 Audit Report is considered a "restricted use" audit report and should only be districuted to authorized user organization clients).  However, the underflying required audit work is the same for both the SOC 2 and SOC 3 Audit Reports.  As a result, most service organizations simply request an SOC 2 Audit, as the accompanying audit report contains a detailed description of the service organization's systems and internal controls, including detailed results of testing, and can be distributed on an individual company basis to those clients that are authorized to receive the detailed report. 

Benefits of an SOC 2 Audit

An SOC 2 audit offers many potential benefits to service organizations, such as the following:

  • Provides customers (user organizations) with independent third party verification regarding the state of internal controls that govern their outsourced transactions and data.
  • Distinguishes the service organization from its competitors.  Normally, service organizations highlight the successful completion of an SOC audit in marketing materials because of the high value placed on the audit by the business community.
  • Presents an opportunity to gain a competitive advantage over rival companies that have not yet developed a comprehensive internal control assurance process. 
  • Helps a service organization build trust with its customers by providing independent verification that proper controls are in place.
  • If properly designed, can provide benefits similar to an internal audit function for service organizations that do not currently have an internal audit department.  This often leads to identification of improvement opportunities in related operational areas.