Advisory
Assurance
Tax
Technology
By David M. Desmarais
By Daniel M. Andrea
By Hayden Lerner
Employee Benefit Plans
By Ashley Leonard
Office Locations
We strive to bring a "common sense" approach to delivering assurance services.
Net Promoter Score
Delivering world-class client service
For organizations undergoing their first service and organization controls (SOC) audit, it is important to engage an organization that cannot only draw upon past experiences as a service auditor, but can also collaborate with your team in the pre-audit preparation phase. This makes it easier for the goals of the ultimate users of the SOC report to be realized.
To build and maintain confidence in the systems and controls that protect sensitive data, users of service organizations are calling for SOC reporting.
A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management. Within SOC 1 reporting, there are Type 1 and Type 2 reports. The Type 1 report identifies the controls at a service organization but does not perform any testing to determine if the controls are operating effectively. Type 2 reports identify the controls and report on the operating effectiveness of these controls based on the testing performed.
A SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles (security, availability, processing integrity, confidentiality and privacy). The SOC 2 report can cover any or all of these principles. A SOC 2 report is typically provided to customers to give them comfort over the controls surrounding the trust service principles. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available within SOC 2 reporting.
A SOC 3 report involves the same procedures as a SOC 2 Type 2 report without providing the details on the controls. This report is typically used for marketing purposes and there are no restrictions on whom this report can be provided.
SOC for Cybersecurity is a risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report. Most organizations have developed a cybersecurity risk management program in the current environment; however few, if any, seem to be testing the program. Vendor risk management is a key element in today’s cloud based environment and having a SOC for Cybersecurity certification will help organizations demonstrate to their shareholders credibility regarding their cybersecurity program and help differentiate themselves from competitors.
SOC for Supply Chain helps organizations, and their customers and business partners, identify, assess, and address supply chain risks, the AICPA has developed a solution to foster greater transparency in the supply chain —a market-driven, flexible, and voluntary reporting framework. This resource helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks. As organizations slowly get back to “normal”, having a SOC for Supply Chain certification will help manufacturers, distributors and other supply chain players clearly differentiate themselves from competitors.
Organizations are often unclear of what a SOC engagement entails and whether such an examination will result in potentially significant findings. Such findings are not only an obvious concern to management but can also mean the difference in keeping an existing customer and/or securing new customers.
KLR will work with you by first performing a SOC Readiness Assessment to identify potential issues requiring remediation prior to undergoing the SOC examination. Depending upon the type of SOC report (1, 2 or 3), we will also provide advice as to the types of Control Objectives (SOC 1) that your users expect or the specific Trust Services Principles (SOC 2 or 3) that are appropriate based upon the services you provide.
By Lauren Amaral
By Kathleen Leavenworth