SOC Reporting
SOC Reporting for Service Organizations
SOC Reporting options are valuable tools for organizations and can be issued to present control activities and processes at a service organization in a cohesive format to users of your services or users’ auditors.
Some of the benefits include:
- Reducing or potentially eliminating questions and costly site visits
- Differentiating the service organization from its peers and building trust
- Additional assurance to management and governance bodies
The Role of Type II SOC I Reports
- Covers controls relevant to financial reporting
- Meets the needs of auditors in evaluating the effectiveness of controls at a service organization
- Reports are restricted to the management of the service organization, user entities, and user auditor
- Intended for a broader range of users
- Reports are generally restricted
- A simplified version of a SOC 2 report covering the same subject matter
- General-use report
- Can be freely distributed and posted on a website
- Type I: Reports on management’s description of a service organization’s system and the suitability of the design of controls.
- Type II: Covers everything that a Type I report includes, plus reports on the operating effectiveness of controls.
SOC 2 Reports cover controls at a service organization relevant to 5 Trust Principles:
Security
The system is protected against unauthorized access (both physical and logical)
Availability
The system is available for operation and use as committed or agreed
Processing integrity
System processing is complete, accurate, timely and authorized
Confidentiality
Information designated as confidential is protected as committed or agreed
Privacy
Personal information is collected, used, retained, disclosed and destroyed in conformity with the AICPA and CICA