• Assure their clients of their internal processes, policies and security.
• Ensure vendors comply with their regulations and standards.
• Obtain third-party comfort around their own cyber security program.

Baker Tilly’s SOC specialists can help your company understand what SOC report best fits your needs, whether you need assurance over a specific area for a contract, or your organization needs to ensure proper compliance with regulations.

You will work with an experienced, dedicated team who understand SOC – really understand SOC, because they not only perform SOC reporting, but are also involved in the AICPA’s committees that develop the standards for SOC reporting. You will have access to partner level resources throughout your engagement.

SOC 1 reports

SOC 1 reporting engagements provide user organizations with a strong sense of comfort about the outsourced services performed by service organizations on their behalf, which are relevant to their internal controls over financial reporting.

• Purpose: Reports on the controls of the service organization that are relevant to the user organization's internal controls over financial reporting
• Scope: Controls related to the accuracy of financial data and information technology general controls
• Audience: User organization's financial executives, compliance officers and financial statement auditors

SOC 2 and 3 reports

Established to address other types of third-party risks outside of financial reporting, SOC 2 and 3 reports provide user organizations with assurance over the critical systems and sensitive data used to provide the outsourced services. Typically, these reports are used to meet vendor risk management requirements that customers may request surrounding security. While the two options have similar scope, a SOC 3 has less detail and, therefore, typically provides less value to report users.

SOC 2 reports

• Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
• Scope: Governance, operational and information technology general controls that address one or more of the TSC categories: security, confidentiality, availability, processing integrity and privacy
• Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners
• Additional Criteria: SOC 2 reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others

SOC 3 reports

• Purpose: Same purpose as SOC 2 report
• Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
• Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization

SOC for Cybersecurity

SOC for Cybersecurity is a risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.

SOC for Supply Chain (under development by the AICPA)

The AICPA is developing a report on an entity’s system and controls for producing, manufacturing or distributing goods to better understand the risks in an organization’s supply chain.

Type 1 vs. Type 2 Reports

Do not confuse SOC 1 and SOC 2 with Type 1 and Type 2. Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key differences are:

• Type 1 addresses the design of controls as of a point in time
• Type 2 addresses the operating effectiveness of controls over a period of time
• Type 1 reports provide less comfort to the intended audience of the report and are uncommon