SOC Examinations

SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity

System and Organization Controls (SOC) Examinations

Differentiate your organization by reporting on controls that increase transparency and build trust with internal and external stakeholders.

SOC 1 Examination

A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting. The report is most applicable when the service provider performs financial transaction processing or supports a transaction processing system. Control objectives are not pre-defined and need to be scoped prior to the reporting engagement or during a readiness assessment. SOC 1 reports are focused on user entities’ internal control over financial reporting (ICOFR). Examples of organizations that should consider a SOC 1 report include: Cloud ERP service providers, financial services, payroll processing, payment processing, healthcare claims processing and data center colocation.

LEARN MORE ABOUT SOC 1 >

SOC 2 Examination

SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Principles (TSPs): Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems. Examples of organizations that should consider a SOC 2 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

LEARN MORE ABOUT SOC 2 >

SOC 3 Examination

Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Principles; however, this report is considered to be for general use and can be distributed on a website for the public to read. Examples of organizations that should consider a SOC 3 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

LEARN MORE ABOUT SOC 3 >

SOC for Cybersecurity

Launched in 2017, SOC for Cybersecurity is a reporting framework over an entire entity’s cybersecurity risk management program and related controls. Unlike the traditional SOC reports, SOC for Cybersecurity can have other specific uses such as management reporting to a board or audit committee and a mechanism to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program.

LEARN MORE ABOUT SOC FOR CYBERSECURITY >

How It Works

Phase I  SOC Readiness Assessment

Concerns about security and compliance reporting drive organizations to seek help with review of their procedures before undergoing the audit. The purpose of a readiness review is to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls
  • Control gaps and areas of improvement
  • Prioritized observations and recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination is to give management an opportunity to address control gaps prior to an inaugural SOC examination.

Phase II SOC Examination Reporting

BARR performs a SOC 1, SOC 2, and/or a SOC 3 examination. There are two types of reporting periods for most SOC reports including a Type 1 (point in time) and Type 2 (specified period of time). Both reports include a description of the overall business and control environment, control objectives, and the supporting control procedures in place to achieve the control objectives.

Deliverables of this phase include a Type 1 or a Type 2 report over any one, or combination of SOC 1, SOC 2, SOC 3 reporting frameworks using the control objectives, trust services principles, or other criteria specified by the client.

At BARR, we are committed to guiding you through the engagement process.

Learn what to expect with your engagement lead from kickoff to final deliverable and everything in between.

See Our Step-By-Step Process

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires; 75% less time spent on internal resources needed to pass audit
  • Trusted advisor to some of the fastest growing cloud service providers (IaaS, PaaS, SaaS) in the country
  • Nearly 100% client retention rate
  • Serving the most regulated industries including technology, financial services, healthcare and government
  • Competitive, fixed rates to accommodate growing enterprises
  • We put you and your business first, providing unparalleled communication and accessibility at all times

Client Testimonials

Recent Blog Posts

Understand the Key Differences Between ISO 27001 and SOC 2 and Why You Might Need Both

| ISO27000, SOC Reporting | No Comments

With data risk on the rise, you may be questioning which security framework is best for your organization. Two compliance standards to consider are the International Organization for Standards (ISO)…

Company leader sits down to write the system description for their company's SOC 2 report.

Let’s Talk SOC 2 System Descriptions—What They Are and How to Write Them

| SOC Reporting | No Comments

Not sure what to include in your company’s SOC 2 report system description? You’re not alone. Some of the most common questions we get from our clients are related to…

How Long Are SOC Reporting Periods? Here’s What to Expect

| SOC Reporting | No Comments

Today, companies face an unprecedented amount of security challenges, which is why the need for a System and Organization Controls (SOC) report is more important than ever. A SOC report…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.