Companies in a wide range of industries—from credit card processing to SaaS—face growing market pressure to prove the quality of their controls. Our service organization control (SOC) assurance services help our clients demonstrate a strong control environment to their customers.
The word “audit” is too often associated with risk, expense, and a significant time commitment from CFOs and finance teams who need to stay focused on driving their business forward. That is why Peterson Sullivan has invested in a dedicated SOC practice based on methodology designed to ensure your SOC audits are extremely efficient, while adding value.
Our dedicated SOC team provides you with deep expertise and experience. Whether you’re a Fortune 1000 company, a newly minted start-up, or somewhere in-between, you’ll receive an efficient audit that adheres to our core principles:
- Transparency: Our customized audit plans provide you with the required assurance over your control environment, while effectively managing your risk through frequent transparent communication.
- Efficiency: We leverage our many years of SOC experience so you can reduce your internal and external audit costs.
- Reliability: Our focus on quality and proactive adoption of new audit requirements ensures that your audit report addresses the needs of your clients, their auditors and specific SOC compliance requirements.
The standard for outsourced processes includes three separate types of SOC reports that address assurance for service organizations. For each type of report, there is an accepted professional standard under which the audit will be performed. This allows for a common nomenclature when referring to reports going forward while allowing for a more frequent update of the professional standards:
- SOC 1 Report: This reports on the controls at a service organization relevant to a user entity’s internal control over financial reporting. This report is typically used by the service organization’s customers to satisfy Sarbanes-Oxley compliance requirements. This report is performed under the Auditing Standards Board’s Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization.
- SOC 2 Report: This reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This report is typically used by the service organization’s customers to gain comfort over selected operational controls tested at the service organization. This engagement is performed under the AT 101, Attest Engagements standards.
- SOC 3 Report: This is a Trust Services Report which essentially covers the same subject matter as SOC 2, but the report does not include the same level of detail as the SOC 2. This report enables the service organization to publish a seal on their website indicating their compliance. This engagement is performed under the AT 101, Attest Engagements standard
- SOC for Cybersecurity Report: Like a SOC 2, this report is intended for customers. This examination addresses common criteria for disclosures about the organization’s cybersecurity risk management program, and common criteria for assessing program effectiveness. Additionally, it contemplates the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.
If you need a SOC report, but aren’t sure your organization is ready for the examination, we offer SOC Readiness services on a consulting basis.