System and Organization Controls (SOC) Examinations

Differentiate your organization by reporting on controls that increase transparency and build trust with internal and external stakeholders.

SOC 1 Examination

A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting. The report is most applicable when the service provider performs financial transaction processing or supports a transaction processing system. Control objectives are not pre-defined and need to be scoped prior to the reporting engagement or during a readiness assessment. SOC 1 reports are focused on user entities’ internal control over financial reporting (ICOFR). Examples of organizations that should consider a SOC 1 report include: Cloud ERP service providers, financial services, payroll processing, payment processing, healthcare claims processing and data center colocation.
LEARN MORE

SOC 2 Examination

SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Principles (TSPs): Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems. Examples of organizations that should consider a SOC 2 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.
LEARN MORE

SOC 3 Examination

Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Principles; however, this report is considered to be for general use and can be distributed on a website for the public to read. Examples of organizations that should consider a SOC 3 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.
LEARN MORE

SOC for Cybersecurity

Launched in 2017, the SOC for Cybersecurity is reporting framework over an entire entity’s cybersecurity risk management program and related controls. Unlike the traditional SOC reports, SOC for Cybersecurity can have other specific uses such as management reporting to a board or audit committee and a mechanism to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program.
LEARN MORE

Contact Us for a Free Consultation

Speak with a BARR specialist about your security and compliance needs.

How It Works

Phase I  SOC Readiness Assessment

Concerns about security and compliance reporting drive organizations to seek help with review of their procedures before undergoing the audit. The purpose of a readiness review is to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls
  • Control gaps and areas of improvement
  • Prioritized observations and recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination is to give management an opportunity to address control gaps prior to an inaugural SOC examination.

Phase II SOC Examination Reporting

BARR performs a SOC 1, SOC 2, and/or a SOC 3 examination. There are two types of reporting periods for most SOC reports including a Type 1 (point in time) and Type 2 (specified period of time). Both reports include a description of the overall business and control environment, control objectives, and the supporting control procedures in place to achieve the control objectives.

Deliverables of this phase include a Type 1 or a Type 2 report over any one, or combination of SOC 1, SOC 2, SOC 3 reporting frameworks using the control objectives, trust services principles, or other criteria specified by the client.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires; 75% less time spent on internal resources needed to pass audit
  • Trusted advisor to some of the fastest growing cloud service providers (IaaS, PaaS, SaaS) in the country
  • 100% referral and satisfaction rate from clients
  • Serving the most regulated industries including technology, financial services, healthcare and government
  • Competitive, fixed rates to accommodate growing enterprises
  • We put you and your business first, providing unparalleled communication and accessibility at all times

Recent Blog Posts

cyber hacker

The Most Common Hack Is Also the Most Successful. Here’s How to Fight It.

| Cloud Computing, Compliance Updates, Healthcare Security, News, PCI DSS, Risk Management, SaaS, SOC Reporting | No Comments

Despite what movies might show, most hacks don’t involve frantic typing or brute-force attacks. In fact, Verizon’s “2017 Data Breach Investigations” report revealed that 90 percent of successful hacks aren’t…

Hannah Wagner Blog Post

Welcome Hannah Wagner: Associate Consultant, Cyber Risk Advisory

| Cloud Computing, News, Risk Management, SOC Reporting | No Comments

We’re thrilled to welcome Hannah Wagner to the BARR Advisory team. As an Associate Consultant in our Cyber Risk Advisory practice, Hannah serves on cyber risk engagements for computer software,…

coding

Could the General Data Protection Regulation Be the First Step Toward Real Data Protection?

| Cloud Computing, Compliance Updates, Federal, News, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

Your data is out there in companies’ hands, and no number of removal requests will change that. So don’t worry about who has your data; pay closer attention to how…