SOC Examinations

A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting. The report is most applicable when the service provider performs financial transaction processing or supports a transaction processing system. Control objectives are not pre-defined and need to be scoped prior to the reporting engagement or during a readiness assessment. SOC 1 reports are focused on user entities’ internal control over financial reporting (ICOFR). Examples of organizations that should consider a SOC 1 report include: Cloud ERP service providers, financial services, payroll processing, payment processing, healthcare claims processing and data center colocation.

SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Principles (TSPs): Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems. Examples of organizations that should consider a SOC 2 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Principles; however, this report is considered to be for general use and can be distributed on a website for the public to read. Examples of organizations that should consider a SOC 3 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

Launched in 2017, SOC for Cybersecurity is a reporting framework over an entire entity’s cybersecurity risk management program and related controls. Unlike the traditional SOC reports, SOC for Cybersecurity can have other specific uses such as management reporting to a board or audit committee and a mechanism to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program.

Any organization that wants to differentiate themselves by reporting on controls that increase transparency and build trust with internal and external stakeholders should opt for SOC compliance. Speak with a SOC auditor at BARR to learn more about which type of SOC report may be best suited for your organization.

In addition to providing security and transparency, SOC reports demonstrate a commitment to protecting customer data. In many cases, a SOC report may be required to do business with a customer or third party.

Yes. A SOC report contains the auditor’s opinion on the design, effectiveness, and implementation of the relevant controls.

The type of SOC report best suited for your organization will depend on the requirements of your customers and stakeholders. Speaking with a trusted SOC auditor at BARR about your organization’s needs can help determine which SOC report is right for you.

No, completing a SOC audit does not result in any certification. Instead, the resulting report provides a CPA’s opinion on the design, effectiveness, and implementation of a service organization’s relevant internal controls. While no organization can technically be “SOC certified,” completing a SOC examination with BARR will help you demonstrate your commitment to protecting customer data.