Service Organization Control (SOC) Reports
Have you been asked to produce a SOC report as part of an RFP response or from a potential client? Are the auditors of your existing client asking if you undergo a SOC audit? While SOC reports are time-consuming, they do provide a basis for a general set of controls and testing that allows your organization to audited once, instead of from every client. In general, SOC 2® reports are used for the controls over IT. SOC 2® reports can be either a type I or type II report. The type I report is a review of the control design, while a type II is both a control design and effectiveness testing. OCD Tech is a provider of SOC 2®, SOC 3®, and SOC for Cybersecurity® services.
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality, and privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
- Oversight of the organization
- Vendor management program
- Internal corporate governance and risk management processes
- Regulatory oversight
A Type 1 report, reports on management’s description of a service organization’s system and the suitability of the design of controls. These reports may be restricted in use. A Type 2 report, reports on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
Trust Services Report for Service Organizations
SOC 3® reports are designed to meet the needs of uses who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2® report. These reports are prepared using the AICPA/ CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because SOC 3® reports are general use reports, they can be freely distributed.