System and Organization Controls
(SOC) Reports

SOC Audits and the K Financial Advantage

K Financial is a licensed Certified Public Accounting firm, registered with the American Institute of Certified Public Accountants. Our CPAs who focus on SOC reporting are also trained and experienced IT auditors. We have developed and follow an efficient and effective control assessment and testing methodology that enables us to deliver SOC reports at significantly lower rates than our competitors. In accordance with professional standards, we maintain our independence throughout our examinations, but we pride ourselves on taking a much more consultative approach than our competitors. 

We recognize that the AICPA standards may be confusing to our clients and the examination process may be intimidating. Our seasoned professionals are able to help clients define their control objectives and document their control activities in order to stream-line the examination process. Our services also generally include valuable recommendations to improve the overall internal control structure.

What Are SOC Reports?

SOC reports allow service providers to establish their reliability and credibility by auditing various services including security, privacy, confidentiality, and data management.

It is common for tasks or functions to be outsourced to a service organization. When users of a service organization (user entities) outsource tasks and functions, many of the risks of the service organization become risks of the user entities. 

In light of several prominent internal-control breakdowns, (e.g., security and privacy breaches, and frauds) and increasing regulatory focus on internal control (e.g., Sarbanes-Oxley Act, Basel II, HITECH and HIPAA), user-entity management is increasing its due diligence. 

These technological and regulatory changes have heightened the need for assurances and information that enables management to demonstrate that they have addressed stakeholder concerns related to the security, confidentiality, and privacy of the systems used to process user entities’ data.

By engaging an independent CPA to examine and report on a service organization’s controls with a SOC audit, service organizations can respond to the needs of their user entities and obtain an objective evaluation looking at the effectiveness of controls that address operations and compliance, as well as financial reporting. 

To provide the framework for CPAs to examine controls and to help management understand the related risks, the American Institute of CPAs established three SOC report types (SOC 1, SOC 2 and SOC 3 reports). SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relate to operations and compliance.

SOC 1 Report: What is it?

Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 reports examine an organization that provides services to user entities when controls are likely to be relevant to a user entity’s internal control over financial reporting.

There are two types of SOC 1 reports:

Both types are reports on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives. 

• Type 1 – A Type 1 report details whether it is possible to achieve the related control objectives included in the description as of a specified date.
• Type 2 – A Type 2 report tests the related control objectives included in the description over a specified period of time. A Type 2 report provides a more thorough investigation and is a more intensive report to compile.

Use of a SOC 1 report is restricted to existing user entities (not potential customers).

SOC 2 Report: What is it?

Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. A SOC 2 report is similar to a SOC 1 report, but it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system attributes:

• Security – The system is protected against unauthorized access (both physical and logical)
• Availability – The system is available for operation and use as committed or agreed
• Processing Integrity – System processing is complete, accurate, timely and authorized
• Confidentiality – Information designated as confidential is protected as committed or agreed
• Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

SOC 3 Report: What is it?

Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria that also are used in SOC 2 engagements. The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. 

A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

Please click on the following link for: Comparison of SOC 1, SOC 2 and SOC 3 reports.