SOC1 - SOC2

The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

Frequently Asked Questions

  • soc1 soc2
  • What's SOC 1 ?

    A SOC 1 audit is an audit at a service organization related to internal control over financial reporting (ICFR). SOC 1 audits were developed by the AICPA and follow the Statement on Standards for Attestation Engagements No. 18 (SSAE 18).

  • What's SOC 2 – SOC for Service Organizations: Trust Services Criteria?
    The performance and reporting requirement for an examination of controls at a service organization relevant to security.
  • What's SOC 3 – SOC for Service Organizations: Trust Service Criteria for General Use Report?

    The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy resulting in general use report.

  • What's SOC for Cybersecurity?

    The performance and reporting requirements for an examination of an entity's cybersecurity risk management program and related controls.

  • WHAT ARE THE DIFFERENCES BETWEEN A TYPE-1 AND TYPE-2 REPORT?

    A Type-1 report describes the service organizations control at a point in time.  This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor's opinion, management's assertion, and the description of the system.

    A Type -2 report focuses on both the design and operating effectiveness of controls over a period of time of at least six months. It includes all of the information in a Type-1 report with the addition of the service auditor's testing performed for each control. From an auditor's perspective, only the SOC-1 Type-2 report provides assurance over a service organization's controls relative to its client's financial transactions.

  • WHICH ORGANIZATIONS NEED A SOC REPORT?

    Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report.  Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.

  • How much does a SOC 1 audit cost?

    Pricing for a SOC 1 audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, and audit frequency. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

  • DO THE SOC REPORTS HAVE THE AUDITOR'S OPINION?

    "Yes. A SOC report will contain the auditor's opinion covering the following areas: "

    - If the service organization's description of controls is presented fairly

    - If the service organization's controls are designed effectively

    - If the service organization's controls are operating effectively over a specified period of time (Type-2 report only)

    If the above items have been achieved by the service organization, the service auditor would issue an 'unqualified' opinion. If the above were achieved but the service auditor found significant exceptions (i.e. such that a control objective was either not in place or was not effective), the service auditor would issue a 'modified opinion'. If, however, the service organization materially failed one or more of the above, the service auditor would issue an “adverse” opinion.

  • CAN I DISTRIBUTE A SOC REPORT FOR MARKETING PURPOSES?

    No. Only SOC 3 reports can be distributed for marketing purposes. A SOC 3 report ordinarily is a general-use report, which means that management of the service organization may provide the report to anyone.

  • Who can perform a SOC audit?

    A SOC audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise to perform such engagements.

  • ADVERTISEMENT

    BOOKS

    ADVERTISEMENT

    COURSES & EDUCATION

    ADVERTISEMENT

    DEFINITIONS

    ADVERTISEMENT

    DOCUMENTS

    Understanding the Differences Between a Vendor SOC 1,2,3

    The purpose of this minor change is to align the American Institute of Certifed Public Accountants (AICPA) Auditing Standards Board (ASB) description of materiality with the description of materiality used by the U.S. judicial system, the auditing standards of the Public Company Accounting Oversight Board (PCAOB), the U.S. Securities and...

    Read more
    ADVERTISEMENT

    ENTERTAINMENT

    ADVERTISEMENT

    TOOLS

    AWS SOC Report

    AWS System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance.

    Read more

    Welcome Back!

    Login to your account below

    Retrieve your password

    Please enter your username or email address to reset your password.

    Add New Playlist