Baker Tilly
Contact us
Consultant meets with client regarding a SOC report to ensure compliance

System & Organization Controls (SOC) Reporting

Baker Tilly’s dedicated AICPA SOC specialists help organizations find the right reporting to fit their needs, including SOC 1 vs. SOC 2.

System & Organization Controls (SOC) Reporting

  1. Whitepaper
    audit staff at an accounting firm

    Transparency report: how we perform quality audit engagements

  2. Webinar
    SOC lessons learned

    SOC: lessons learned from a year of remote engagements

  3. Webinar
    Team meeting analyzing data

    SOC 2 for startups: what you need to know to be prepared for a SOC 2 audit

  4. Article
    Lessor issues: Implementing the new leases (ASC 842) accounting standard

    Lessor issues: implementing the new leases accounting standard

  5. Webinar
    Blue lighting in server room

    SOC considerations through the COVID-19 lens

  6. Article
    Professional works remotely on his computer and phone

    The impact of COVID-19 on SOC

  7. Article
    Blue architecture in a city

    AICPA releases new SOC for Supply Chain reporting framework

  8. Article
    Real estate, both historic and modern, in a city

    Companies’ goodwill impairments expected to substantially spike this year

  9. Webinar
    Leveraging SOC 2® reports to meet stakeholder expectations

    Leveraging SOC 2® reports to meet stakeholder expectations

  10. Multimedia
    Vascular Solutions testimonial

    System and Organization Controls (SOC) overview

  11. Article
    Man works remotely with phone, reports and computer

    Establishing trust with SOC reports

  12. Webinar
    Manufacturing denim in a supply chain

    Supply chain industry trends and upcoming SOC for Supply Chain report

  13. Article
    Stack of white papers

    AICPA proposes guidance for new System and Organization Controls (SOC) Supply Chain report

  14. Webinar
    Bundle of fiber optic wiring

    Transitioning between System and Organization Control (SOC) reports

  15. Article
    “Attorneys’ and hackers’ eyes only”: cybersecurity risk management program for law firms

    “Attorneys’ and hackers’ eyes only”: cybersecurity risk management program for law firms

  16. Webinar
    lighthouse at the end of a dock at night with water

    Preparing for SOC 2® changes: lessons learned from applying the new Trust Services Criteria

  17. Case Study
    Tall electrical tower

    System and Organization Controls (SOC) reports provide third-party assurance and significant time savings for large energy company

  18. Webinar
    Man works remotely with phone, reports and computer

    System and Organization Controls (SOC): latest SOC 2® guidance updates and impacts for issuers and recipients

  19. Article
    Ethernet cables

    System and Organization Controls (SOC): 20 questions with Baker Tilly

  20. Webinar
    View of a computer server room

    System and Organization Controls (SOC) webinar and insights series

  21. Article
    Woman reviews business plan on computer

    AICPA releases new guidance on System and Organization Controls (SOC) 2® Trust Services Criteria and Description Criteria

  22. Article
    AICPA releases System and Organization Controls (SOC) for Cybersecurity guidance with SOC 2® comparison

    AICPA releases System and Organization Controls (SOC) for Cybersecurity guidance with SOC 2® comparison

  23. Webinar
    Man working at a computer from home

    SOC update: Lessons learned from the first year of SSAE18 and SOC for Cybersecurity

  24. Article
    Strategy session resources

    System and Organization Controls (SOC): a guide to transitioning to the new Trust Services Criteria

  25. Webinar

    System and Organization Controls (SOC) essentials II: key tips for issuers and recipients

  26. Article

    Cybersecurity risk management reporting framework can provide a key component of an organization’s risk management program

  27. Whitepaper

    ASC 606 Revenue Recognition e-book

  28. Article
    Focal themes from the Super Regional P/C Insurer conference

    AICPA releases final guidance on SOC for cybersecurity

  29. Article
    The test for goodwill impairment gets easier

    The test for goodwill impairment gets easier

  30. Article
    ASC 606 (revenue recognition) transition: The role of internal control over financial reporting (ICFR) and auditor expectations

    ASC 606 (revenue recognition) transition: The role of internal control over financial reporting (ICFR) and auditor expectations

  31. Article

    Creating a sustainable cybersecurity management program

  32. Webinar
    ICFR for Revenue Recognition

    ICFR for Revenue Recognition

  33. Article
    Summary of all the FASB ASUs in 2016

    Summary of all the FASB ASUs in 2016

  34. Webinar
    ASC 606: Transition methods and effective dates

    ASC 606: Transition methods and effective dates

  35. Webinar
    Leases: How will it impact you?

    Leases: How will it impact you?

  36. Article
    The ASC 606 (revenue recognition) transition: Effective dates and transition methods

    The ASC 606 (revenue recognition) transition: Effective dates and transition methods

  37. Article

    AICPA proposes cybersecurity attest engagement

  38. Article
    Two railroad tracks merge en route

    Focus on these key areas within each community bank merger and acquisition stage

  39. Article
    FASB revises credit loss reporting rules for financial institutions

    FASB revises credit loss reporting rules for financial institutions

  40. Article
    The ASC 606 transition: Recognizing revenue as each performance obligation is satisfied

    The ASC 606 transition: Recognizing revenue as each performance obligation is satisfied

  41. Article
    ASC 606, new revenue recognition standard, may impact broker-dealers

    ASC 606, new revenue recognition standard, may impact broker-dealers

  42. Article
    The ASC 606 transition: Allocating the transaction price to separate performance obligations

    The ASC 606 transition: Allocating the transaction price to separate performance obligations

  43. Webinar
    WEBINAR: ASC 606 (revenue recognition) transition: Determining the transaction price (consideration)

    WEBINAR: ASC 606 (revenue recognition) transition: Determining the transaction price (consideration)

  44. Webinar
    Equipment leasing – Strategies, best practices, and new leasing standards

    Equipment leasing – Strategies, best practices, and new leasing standards

  45. Article
    The ASC 606 transition: Determining the transaction price

    The ASC 606 transition: Determining the transaction price

  46. Comment Letter
    Proposed ASU: statement of cash flows, restricted cash

    Proposed ASU: statement of cash flows, restricted cash

  47. Article

    OCC standards require strict oversight of third-party relationships

  48. Article

    Cybersecurity management: implementing cybersecurity controls

  49. Article
    Summary of all the FASB ASUs in 2015

    Summary of all the FASB ASUs in 2015

  50. Article

    AICPA changes to SOC 2: what service organizations need to know

  51. Article
    Conference room in advance of board meeting

    Vendor management and the importance of System and Organization Controls (SOC) report reviews

  52. Article

    Revenue recognition requirements delayed one year

  53. Article

    Proposed revisions to the Trust Services Principles and Criteria are available for comment

  54. Article
    Transitioning to the 2013 COSO Framework

    Transitioning to the 2013 COSO Framework

  55. Comment Letter
    Baker Tilly Comment Letter to the FAF on the PCC

    Baker Tilly Comment Letter to the FAF on the PCC

  56. Article

    AICPA issues guidance on new mortality tables for nongovernmental employee benefit plans

  57. Article

    New Jersey law mandating health insurance data encryption may have broader implications

  58. Article
    Conference room in advance of board meeting

    Recent news insight: Morgan Stanley and the importance of quality internal controls

  59. Webinar

    Understanding your IT risks, security, and vendor management webinar

  60. Case Study

    SOC 2 report helps international printing company drive millions in sales

  61. Comment Letter

    Baker Tilly Comment Letter to the AICPA on the Enhancing Audit Quality Initiative

  62. Article

    Regulatory noncompliance is now a financial matter

  63. Article

    Cybersecurity: stay ahead of an evolving landscape

  64. Article

    Going Concern: FASB issues new standard on reporting adverse conditions and events

  65. Article

    Cybersecurity: steps to take now

  66. Article

    Managing risk for third party relationships: Office of the Comptroller guidance

  67. Article
    Professionals walk and talk in transit to the next business meeting

    SOC reporting: what service organizations need to know

  68. Article

    New NIST Cybersecurity Framework

  69. Case Study

    Credit union relies on risk and internal audit expertise

  70. Article

    Changes to the Trust Services Principles that Impact SOC 2

  71. Comment Letter

    Baker Tilly Comment Letter to the AICPA on the Proposed Revision of Trust Services Principles and Criteria

The American Institute of Certified Public Accountants (AICPA) SOC reporting was developed as a valuable tool for organizations. SOC 1® and SOC 2® examinations assure their clients of their internal processes, policies and security and ensure vendors comply with their regulations and standards.

    Baker Tilly’s SOC specialists can help your company understand what SOC report best fits your needs, whether you need assurance over a specific area for a contract, or your organization needs to ensure proper compliance with regulations.

    You will work with an experienced, dedicated team who really understands SOC – because they not only perform SOC reporting, but are also involved in the AICPA’s committees that develop the standards for SOC reporting. Additionally, you will have access to partner-level resources throughout your engagement.

    Delivering SOC examinations remotely

    Our SOC practice uses a variety of technology tools to streamline our service delivery model and make sharing documents and requests seamless. These tools can also make it easy for our SOC clients to work remotely and share documents and evidence needed as part of the SOC process with us. Our personnel are well versed in methods for facilitating video conferences, teleconference calls and live, online document-sharing sessions to perform SOC readiness and SOC examination services as efficiently (if not more than) if we were live on-site.

    In many cases, remote SOC project services can deliver the same quality service while minimizing travel expenses and space constraints that can accompany on-site work.

    If you are considering Baker Tilly for your SOC needs, let’s discuss these options together and how they could apply in your environment. If you already use Baker Tilly for your SOC needs, please talk with your engagement team about leveraging these tools to make the SOC process as efficient and effective as possible.

    Connect with usarrowCreated with Sketch.

    SOC reporting options for your organization

    With several reporting options available, it is important to identify which SOC report is right for your organization. Reporting options include the SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity and SOC for Supply Chain.

    SOC 1 reports

    SOC 1 reporting engagements provide user organizations with a strong sense of comfort about the outsourced services performed by service organizations on their behalf, which are relevant to their internal controls over financial reporting.

    • Purpose: Reports on the controls of the service organization that are relevant to the user organization's internal controls over financial reporting
    • Scope: Controls related to the accuracy of financial data and information technology general controls
    • Audience: User organization's financial executives, compliance officers and financial statement auditors

    SOC 2 and 3 reports

    Established to address other types of third-party risks outside of financial reporting, SOC 2 and 3 reports provide user organizations with assurance over the critical systems and sensitive data used to provide the outsourced services. Typically, these reports are used to meet vendor risk management requirements that customers may request surrounding security. While the two options have similar scope, a SOC 3 has less detail and, therefore, typically provides less value to report users.

    SOC 2 reports

    • Purpose: Reports on the effectiveness of the controls of the service organization related to operations, based on the selected trust services criteria (TSC)
    • Scope: Governance, operational and information technology general controls that address one or more of the TSC categories: security, confidentiality, availability, processing integrity and privacy
    • Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties and appropriate business partners
    • Additional Criteria: SOC 2 reports can also include other suitable criteria, such as HITRUST, the HIPAA Security Rule and others

    SOC 3 reports

    • Purpose: Same purpose as SOC 2 report
    • Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
    • Audience: Unrestricted and can be used by anyone who has the appropriate understanding of the subject matter and who would like confidence in the controls for the service organization

    SOC for Cybersecurity

    SOC for Cybersecurity is a risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.

    SOC for Supply Chain

    The AICPA has developed a report on an entity’s system and controls for producing, manufacturing or distributing goods to better understand the risks in an organization’s supply chain.

    Type 1 vs. Type 2 Reports

    Do not confuse SOC 1 and SOC 2 with Type 1 and Type 2. Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key differences are:

    • Type 1 addresses the design of controls as of a point in time
    • Type 2 addresses the operating effectiveness of controls over a period of time
    • Type 1 reports provide less comfort to the intended audience of the report and are uncommon

    If you’ve never had a SOC examination performed, you’re probably wondering what it entails.

    Determine report type and scope

    The first thing we need to do is help determine which report is most applicable to your environment and the needs of your organization and your clients.

    Ensure no surprises

    After we agree upon the type and scope of the examination, we typically perform a readiness assessment before your first SOC examination. The readiness assessment is a one-time review to identify your control activities satisfying each of the objectives or criteria. We will also determine potential test procedures and identify the types of evidence available to satisfy those test procedures. The deliverable provides recommendations on potential gaps in control activities and/or documentation.

    Remediation

    After we perform the readiness assessment, we allow you time to remediate control or documentation deficiencies before we begin our examination period.

    Document request

    Several weeks prior to fieldwork, we will send out a document request list to assist you in gathering the necessary evidence prior to our visit. This will also help us select samples for testing.

    Onsite testing

    When we arrive onsite, we will conduct our walkthroughs, observational testing and inspect the documentation you have provided for us. Interim fieldwork typically requires about one to two weeks onsite for small- to medium-sized organizations.

    Final fieldwork

    Towards the end of the examination period, we will perform final fieldwork where we will select additional samples and complete any remaining test procedures.

    Final report

    After final fieldwork, we will subject the final report to our internal quality control procedures and issue the report approximately four to eight weeks after the procedures are completed.

    Connect with usarrowCreated with Sketch.
    Your team was fantastic to work with again this year. I compliment the amazing team you have an am looking forward to next year!
    Senior Vice President/Chief Technology Risk Officer of a large financial institution

    Featured insights

    Article
    Conference room in advance of board meeting

    Vendor management and the importance of System and Organization Controls (SOC) report reviews

    Article
    Five person meeting

    Tips to understand and maximize the value of SOC reports for boards, audit committees and senior management

    Webinar
    Bundle of fiber optic wiring

    Transitioning between System and Organization Control (SOC) reports

    Article

    SOC reporting: what service organizations need to know

    Article
    Ethernet cables

    System and Organization Controls (SOC): 20 questions with Baker Tilly

    Case Study
    Tall electrical tower

    System and Organization Controls (SOC) reports provide third-party assurance and significant time savings for large energy company