System Organization Controls (SOC) Examinations

Differentiate your organization by reporting on controls that increase transparency and build trust with internal and external stakeholders.

SOC 1 Examination

A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting. The report is most applicable when the service provider performs financial transaction processing or supports a transaction processing system. Control objectives are not pre-defined and need to be scoped prior to the reporting engagement or during a readiness assessment. SOC 1 reports are focused on user entities’ internal control over financial reporting (ICOFR). Examples of organizations that should consider a SOC 1 report include: Cloud ERP service providers, financial services, payroll processing, payment processing, healthcare claims processing and data center colocation.

SOC 2 Examination

SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Principles (TSPs): Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems. Examples of organizations that should consider a SOC 2 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

SOC 3 Examination

Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Principles; however, this report is considered to be for general use and can be distributed on a website for the public to read. Examples of organizations that should consider a SOC 3 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.

SOC for Cybersecurity

Launched in 2017, the SOC for Cybersecurity is reporting framework over an entire entity’s cybersecurity risk management program and related controls. Unlike the traditional SOC reports, SOC for Cybersecurity can have other specific uses such as management reporting to a board or audit committee and a mechanism to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program.

How It Works

Phase I  SOC Readiness Assessment

Concerns about security and compliance reporting drive organizations to seek help with review of their procedures before undergoing the audit. The purpose of a readiness review is to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls
  • Control gaps and areas of improvement
  • Prioritized observations and recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination is to give management an opportunity to address control gaps prior to an inaugural SOC examination.

Phase II SOC Examination Reporting

BARR performs a SOC 1, SOC 2, and/or a SOC 3 examination. There are two types of reporting periods for most SOC reports including a Type I (point in time) and Type II (specified period of time). Both reports include a description of the overall business and control environment, control objectives, and the supporting control procedures in place to achieve the control objectives.

Deliverables of this phase include a Type I or a Type II report over any one, or combination of SOC 1, SOC 2, SOC 3 reporting frameworks using the control objectives, trust services principles, or other criteria specified by the client.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires; 75% less time spent on internal resources needed to pass audit
  • Trusted advisor to some of the fastest growing cloud service providers (IaaS, PaaS, SaaS) in the country
  • 100% referral and satisfaction rate from clients
  • Serving the most regulated industries including technology, financial services, healthcare and government
  • Competitive, flexible rates to accommodate growing enterprises
  • We put you and your business first, providing unparalleled communication and accessibility at all times

Recent Blog Posts

Cloud storage

Store Data Overseas? What CSPs Need to Know About Microsoft’s SCA Challenge

| Cloud Computing, Compliance Updates, Healthcare Security, News, PCI DSS, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

Data transcends national borders. A cloud service provider may host a user’s data next door, or it may store it halfway around the world. But an upcoming ruling by the…

4 Qualities to Look for in a Cybersecurity Auditing Firm

| Cloud Computing, Compliance Updates, Federal, Healthcare Security, ISO27000, News, PCI DSS, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

Whether your business is large or small, a promising startup or household brand name, there has never been a greater need to make cybersecurity a top corporate priority. New technologies,…

Compliant Isn’t Secure: 4 Steps to Keep Your Data Safe

| Cloud Computing, Federal, Healthcare Security, PCI DSS, Risk Management, SOC Reporting, Vulnerability Management | No Comments

Data security starts with compliance. Unfortunately, some companies also believe it ends there. While compliance with standards such as SOC 2 or PCI can provide baseline protection, it can’t magically…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.