What We Do ?
We focus on internal controls by working hand in hand with the client as a third party internal auditor. These audits are done by audit professionals who strive to secure your systems, services and your workplace. Our experts will help your organization in evidence monitoring, controlling and documentation for a time period of 6 or 12 months. We are pleased to offer our clients with accurate internal SOC audit services. These services are provided by our experts, who have extensive knowledge of controls on financial reporting and trust service principles (Security, Confidentiality, Availability, Processing Integrity and Privacy).
Why Service Organization Control (SOC)?
- Organizations are progressively outsourcing their business, systems, services, and data processing to service providers so that they can focus on efficiency, low costs, and rapidly deploy new application functionality
- Have you been asked to provide a SOC report as part of an RFI/RFP response from the client? Though SOC reports are time-consuming, they do provide a basis for a general set of controls and testing that allows your organization to be audited once, rather than from every client
Service Organization Control Reporting:
- The AICPA has outlined 3 types of SOC reports. Each type of SOC reports are designed to meet specific user needs of service organizations
- SSAE 18 replaces SSAE 16
- All SOC1, SOC2 and SOC 3 reports are done under the SSAE 18 standards
SOC Life Cycle
What are SOC reports?
- SOC Reports mainly cover the design and effectiveness of controls (Type 2 report ) for a 12-month period activity, with connected coverage from year to year
- Reports may cover a shorter period of time, such as 6 months, if the system or service has not been in operation for an entire year or if yearly reporting is insufficient to meet user needs.
- Reports may also cover only design of controls at a specified point in time (Type 1 report). This usually is used for a new system or service
For example:
- If a user organization requires a report for a specific period of time, covering security and confidentiality for a particular system or service, the user organization would request a SOC 2 Type 2 security and confidentiality report from the service organization.
- If a user organization requires a report for a specific period of time, covering internal control over a financial reporting for a particular system or service, the user organization would then request a SOC 1 Type 2 report for that systems or service from the service organization.
Types of SOC Reports
- SOC 1 – Mainly covers controls at a service organization relevant to user organizations internal control over financial reporting
- SOC 2 – Mainly covers controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
- SOC 3 – Trust services report for service organizations
Let’s understand the stakeholders involved
| User Organization | Service Organization | Internal Auditor | Service Auditor |
| Organization which has outsourced service to service organization | Organizations which provides services to user organization | Organizations which provides facilitation and helps in internal audit to service organization | A professional accountant in public practice which provides an assurance report on controls at a service organization |
Type 1 Report :
- A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Addresses fairness of presentation and design of controls
Type 2 Report:
- Same as type 1 report but also includes
- The service auditor’s opinion on the operating effectiveness of the controls
- Description of the service auditor’s tests of the operating effectiveness and the results of those tests through a specific period.
- Addresses fairness of presentation, design and operating effectiveness of controls