Need a SOC Report? Start here.
Organizations in today’s connected business ecosystem outsource critical business processes and engage with third-party vendors in their daily operations. During vendor due-diligence, information security is a critical component in the decision-making process. System and Organization Controls (SOC) reports are now part of the “cost of admission” for business growth, as they communicate the effectiveness of your organization’s controls or system to your clients, partners, executives, board members, and stakeholders.
Experience Meets Process to Conduct Every Examination
Our team of CPAs and cybersecurity experts applies a disciplined, process-driven approach to creating organization-tailored examinations focused on building your cyber-resilience, while providing your business partners assurance about your system and organization controls. Our SOC examination process:
- Provides an independent, objective look at your IT environment;
- Promotes transparency, accountability, and focus; and
- Balances risk and expense to help you achieve your strategic business goals.
Choosing the SOC Report Best for your Organizational Needs
While all SOC reports achieve the results listed above, each report is designed with unique objectives to meet the needs of a specific audience including management, auditors, business partners, board members, and executives. Below is an overview of HORNE’s SOC Suite of Services:
SOC Reports at a Glance
Knowing the Difference in SOC Reports
SOC 1 Examinations: Type 1 and Type 2
SOC 1 reports are important components of an organization’s evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations. SOC 1 Type 1 reports evaluate the fairness of management’s description of the system and the suitability of controls designed to achieve related objectives for a specific date. Similarly, SOC 1 Type 2 reports evaluate the fairness of management’s description, suitability of the controls’ design, and the operational effectiveness of the controls to achieve the related objectives during a specified time. SOC 1 reports are intended for management, user entities, and auditors.
Those in need of a SOC 1 report include service organizations that provide a service that may have a material impact on the financial statements of the user entity, such as those that offer accounting software or payroll processing to user entities including loan servicing companies and medical claims processors.
SOC 2 Examinations: Type 1 and Type 2
SOC 2 reports evaluate internal controls in relation to the security, availability, processing integrity, confidentiality, and privacy criteria. A SOC 2 Type 1 report evaluates the fairness of management’s description of the system and the suitability of controls designed to achieve related objectives for a specific date. Similarly, SOC 2 Type 2 reports evaluate the fairness of management’s description, suitability of the controls’ designs, and the operating effectiveness of the controls to achieve the related objectives during a specified time. SOC 2 reports serve to form an important part of stakeholders’:
- Organizational oversight
- Vendor management program
- Internal corporate governance and risk management process
- Regulatory oversight
SOC 2 reports are intended for management and shared with business partners to provide assurance of the organization’s internal controls.
Examples of those in need of a SOC 2 report include service organizations that provide a service that affects compliance and operational controls, such as a data center that hosts servers for user entities and information technology managed services providers.
SOC for Cybersecurity
A SOC for Cybersecurity examination will provide your organization with insights into your current security posture and will assist you in making decisions to drive strategic cyber-resilience initiatives. Organizations can leverage a SOC for Cybersecurity report to effectively communicate the strength of its current program and opportunities within the IT environment to board members, executives, and key stakeholders. The SOC for Cybersecurity report provides a comprehensive view of your program by considering:
- Nature of information at risk
- Cybersecurity risk management program objectives
- Factors that have a significant effect on inherent cybersecurity risks
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Monitoring of cybersecurity risk management program
- Cybersecurity control processes
The SOC for Cybersecurity report provides detailed information regarding gaps in the effectiveness of controls in your organization’s cybersecurity risk management program to drive decision-making and prioritization of IT spending.
SOC for Supply Chain (Coming Soon)
The AICPA has released the Exposure Draft for the Proposed Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report. This is the first step in the release of the new examination-level service to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the supply chain risks of doing business with an organization.
A SOC for Supply Chain report is designed to provide intended users with information about the system used to produce, manufacture, or distribute products and the relevant controls within that system. The report is designed to provide users with the information needed to identify, assess, and manage the risks that arise from their relationships with the entity. Intended users include:
- Business customers, including immediate customers or similar business entities further down the supply chain, need information about the entity’s system, such as the nature and effectiveness of controls within that system, to (a) integrate those controls with the controls within their own systems, and (b) determine whether those controls are enough to mitigate their own business risks.
- Business partners may include affiliated organizations that are customers or suppliers. Business partners need information about the entity’s system and the controls within that system to manage and assess the risks associated with doing business with the entity.
- Nonregulatory, standard-setting bodies consisting of business customers or business partners that represent their membership (for example, industry consortiums) need information about the entity’s system and related controls to better meet the needs of their constituents.
- Others, such as prospective customers and business partners, need information about the entity’s system and controls to supplement their supplier selection processes or to ensure the supplier’s compliance with regulatory requirements.
HORNE can help your organization prepare for a successful SOC for Supply Chain examination now.
Comparing SOC Examinations
The following SOC examinations comparison communicates the key differences in our SOC suite of services and how each examination helps strengthen business relationships with your intended users.
SOC Examination Process
While each SOC examination serves the needs of different user entities, much of the groundwork to prepare is similar for all. Below is an overview of our SOC examination process, which can be utilized to help you start preparing for the examination process.
Step 1: Planning
Each SOC examination engagement begins with a scoping discussion to identify your pain points, needs, and wants. This conversation will help determine which SOC examination best suits the current needs of your organization. During this scoping meeting, our team will work alongside you to determine your organization’s level of readiness for a SOC examination. If a readiness assessment is needed to properly prepare your organization for a SOC examination, our team will include this in the preparation phase.
Step 2: Preparation*
This is generally the period of time in which your organization prepares for the audit by ensuring documentation is available and any control gaps identified during a readiness assessment are addressed prior to beginning the SOC examination.
*HORNE strongly recommends that all organizations that have not previously undergone the SOC examination process have a readiness assessment performed. The readiness assessment is a critical component in establishing an organization’s controls prior to the audit, ensuring a comprehensive and accurate SOC report.
Step 3: Fieldwork
During the fieldwork phase, we work with key process and control owners at your organization to gain an understanding of the critical activities and controls that could affect users of your system.
We will obtain and inspect supporting documentation from your organization to ensure that identified control objectives (SOC 1), common criteria (SOC 2), and cybersecurity processes (SOC for Cybersecurity) are in place to support your service organization’s system.
Step 4: Reporting and Quality Control
After our fieldwork is completed, a system of quality control reviews is performed to ensure that the work performed reflects the standards of the AICPA. Issues or findings will be discussed with management, their impact on the report and users determined, and management will be given an opportunity to respond with remediation or planned remediation steps performed.
Step 5: Delivery
Prior to the release of the final report, a signed Management Representation will be provided to HORNE. Upon receipt of this letter, we will release a finalized version of the report to you for the designated users of the report.
At HORNE, our greatest strength is our people. As an accounting firm, our assurance team consists of CPAs and cybersecurity experts with more than 10 years of experience in providing SOC services to our clients. Our team’s unique composition marries financial and information technology expertise with an offense-oriented approach to cybersecurity.
Contact us more information on how HORNE can help your organization communicate the effectiveness of its security program, building trust through transparency, with a SOC examination.