System and Organization Controls (SOC) Examinations

Differentiate your organization by reporting on controls that increase transparency and build trust with internal and external stakeholders.

SOC 1 Examination

A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting. The report is most applicable when the service provider performs financial transaction processing or supports a transaction processing system. Control objectives are not pre-defined and need to be scoped prior to the reporting engagement or during a readiness assessment. SOC 1 reports are focused on user entities’ internal control over financial reporting (ICOFR). Examples of organizations that should consider a SOC 1 report include: Cloud ERP service providers, financial services, payroll processing, payment processing, healthcare claims processing and data center colocation.
LEARN MORE

SOC 2 Examination

SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Principles (TSPs): Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems. Examples of organizations that should consider a SOC 2 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.
LEARN MORE

SOC 3 Examination

Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Principles; however, this report is considered to be for general use and can be distributed on a website for the public to read. Examples of organizations that should consider a SOC 3 report include: Cloud service providers (e.g., SaaS, IaaS, PaaS), enterprise system housing third party data, IT systems management and data center colocation.
LEARN MORE

SOC for Cybersecurity

Launched in 2017, the SOC for Cybersecurity is reporting framework over an entire entity’s cybersecurity risk management program and related controls. Unlike the traditional SOC reports, SOC for Cybersecurity can have other specific uses such as management reporting to a board or audit committee and a mechanism to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program.
LEARN MORE

How It Works

Phase I  SOC Readiness Assessment

Concerns about security and compliance reporting drive organizations to seek help with review of their procedures before undergoing the audit. The purpose of a readiness review is to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls
  • Control gaps and areas of improvement
  • Prioritized observations and recommendations for remediation

The advantage of performing a readiness assessment prior to the SOC examination is to give management an opportunity to address control gaps prior to an inaugural SOC examination.

Phase II SOC Examination Reporting

BARR performs a SOC 1, SOC 2, and/or a SOC 3 examination. There are two types of reporting periods for most SOC reports including a Type 1 (point in time) and Type 2 (specified period of time). Both reports include a description of the overall business and control environment, control objectives, and the supporting control procedures in place to achieve the control objectives.

Deliverables of this phase include a Type 1 or a Type 2 report over any one, or combination of SOC 1, SOC 2, SOC 3 reporting frameworks using the control objectives, trust services principles, or other criteria specified by the client.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires; 75% less time spent on internal resources needed to pass audit
  • Trusted advisor to some of the fastest growing cloud service providers (IaaS, PaaS, SaaS) in the country
  • 100% referral and satisfaction rate from clients
  • Serving the most regulated industries including technology, financial services, healthcare and government
  • Competitive, fixed rates to accommodate growing enterprises
  • We put you and your business first, providing unparalleled communication and accessibility at all times

Recent Blog Posts

information security

The Corporate Information Security Policy Library: A Minimalist’s Perspective

| Cloud Computing, Compliance Updates, Risk Management, SOC Reporting, Vulnerability Management | No Comments

Sure, a fully stocked library sounds like a great thing. Libraries are awesome! People like content. Abundance is alluring. More is more, after all…. isn’t it? When it comes to…

Abstract digital image of cloud shaped network on structure background with cosmic light flares.

The Surprising Truth About Cloud Security

| Cloud Computing, Compliance Updates, Risk Management, SOC Reporting, Vulnerability Management | No Comments

In the face of security concerns, IT executives have mistakenly found comfort in private clouds over public clouds. No doubt, some of the enterprises using a private cloud have serious…

Mitch Evans, BARR Associate

Meet Mitch Evans, Director of Risk Consulting

| Cloud Computing, Compliance Updates, Federal, Healthcare Security, ISO27000, News, PCI DSS, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

Our associates are what make BARR Advisory a truly great place to work. Get to know the people who are dedicated to helping your organization achieve the security you need…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.