SOC 1 , SOC 2 and SOC 3 Reporting

Oread Risk & Advisory provides three type of System and Organization Controls (SOC) examinations.

* SOC 1 reporting focuses on issues that pertain to a client’s internal control of financial reporting (ICOFR).

* SOC 2 reporting and SOC 3 reporting have a more broad applicability and focus on operational controls covering security, confidentiality, availability, privacy, and/or processing integrity across your various systems.

Oread Risk & Advisory delivers SOC 1 reporting, SOC 2 reporting and SOC 3 reporting services so your company can provide your customers with the assurance they need to confidently conduct business.

What is a SOC 1 report?

SOC 1 examinations report on your company’s internal controls that impacts your customers’ internal controls over financial reporting.

Final SOC 1 reports provided information on controls at a service organization. These reports apply to your business if you perform financial transaction processing or support a transaction processing system.

We prepare these reports, so your customers and auditors have a detailed report of your IFCOR.

SOC 1 reports come in two types.

Type 1

Reports that assess your management team’s description of the organization’s system and suitability of design of the controls at a point in time.

Type 2

Reports that evaluate your management team’s description of the organization’s system and the suitability of the design as well as operational effectiveness over a period of time. If your company has sensitive customer data, then a SOC audit would make sense for your business.  A SOC audit gives comfort to your clients that their data is secure.

More on SOC1 Reporting

The first step is a readiness engagement which is a preliminary assessment and provides guidance that will empower the service organization to successfully prepare for, and achieve, an unqualified opinion on a SOC 1 Type 1 or Type 2 examination.

Readiness engagements are accomplished by identifying specific controls and control gaps related to the achievement of control objectives for the services being audited, and then by providing specific, actionable guidance for improving and maintaining the system of controls.

What is a SOC 2 report?

SOC 2 examinations report on your business’ system security, confidentiality, availability, privacy, and/or processing integrity across your various systems.

We conduct SOC 2 reports on a broad array of systems and focus on the following criteria outlined by the American Institute of CPAs:

• Security: The system is protected against unauthorized access, use, or modification.
• The system is available for operation and use as committed or agreed.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
• Information designated as confidential is protected as committed or agreed.
• Information collected, used, retained, disclosed, and disposed of is in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP).

SOC 2 reports come in two types.

Type 1

Reports that assess your management team’s description of the organization’s system and suitability of design of the controls at a point in time.

Type 2

Reports that evaluate your management team’s description of the organization’s system and the suitability of the design as well as operational effectiveness over a period of time.

What is a SOC 3 report?

SOC 3 examinations report on your business’ system security, confidentiality, availability, privacy, and/or processing integrity across your various systems. We follow the American Institute of CPA’s Trust Services Principles when evaluating your company’s controls over information being processed by a system.

Unlike SOC 2 reports, SOC 3 reports are for your company if you do not have the need for or the insight needed to make use of comprehensive details that the SOC 2 report provides.

So, you can look at SOC 3 reports like “SOC 2 reports light.” These general-use reports also provide the opportunity to be distributed as marketing reports.