Do you provide critical outsourced services to your customers? Your customers might expect you to have a System and Organization Control (SOC) report in place, which requires an audit. Who can perform a SOC audit? We have the details here.

What is a SOC audit?

A System & Organization Control (SOC) audit is a report on the internal controls at a service organization (a business who provides services to other entities). SOC audits are a great way for customers to ensure that service providers are practicing safe and secure controls and protecting personal data.

There are three types of SOC reports:

SOC 1- This report focuses solely on a service organization’s controls relevant to user entities’ (the entities that use the said service organization) internal controls over financial reporting.

SOC 2- This report addresses controls at the service organization related to operations and compliance using the Trust Services Criteria framework for the Security, Availability, Processing Integrity, Confidentiality or Privacy principles. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance, risk management process and regulatory oversight.

SOC 3- This is a condensed version of SOC 2, intended for general use and distribution.

There are two types of reports under a SOC 1 or SOC 2 engagements:

Type 1 – This is a report on the presentation of management’s description of the service organization’s system and the suitability of the design of the controls as of a specified date.

Type 2 – This is a report on the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls throughout a specified period.

Both SOC 1 and SOC 2 reports are restricted to the management of the service organization, user entities, and user auditors.

Who can perform a SOC audit?

SOC audits must be completed by an independent certified public accountant (CPA). CPAs must meet certain requirements to be qualified to perform a SOC audit. This includes:

• The CPA must comply with the most current updates from the American Institute of Certified Public Accountants (AICPA).
• The CPA must have the technical expertise, training and certification to perform such engagements.
• The CPA must be independent, in fact and appearance, to perform the audit.

The SOC report would be deemed invalid if it is not completed by a CPA.

Why should my company have a SOC report?

SOC audits are a great way for customers to ensure that service providers are practicing safe and secure controls and protecting personal data. If you provide critical outsourced services to your customers, they might expect you to have a SOC report in place, which requires a SOC audit.

Trust is essential to building successful relationships between entities and their third-party business associates. To build and maintain confidence in the systems and controls that protect sensitive data, users of service organizations rely heavily on SOC reporting.

When you are ready for a SOC audit, your CPA will help ease the process for you. KLR Advisors would be happy to help you get started. Contact us today.