SOC 2 Reports – Utah

SOC Reports – Utah

Utah business owners need to ensure sensitive data is protected, especially when it comes to personally identifiable information (PII). Ensuring the company has robust internal controls and practices in place to protect against a breach is essential. In fact, many may expect to see a System Organization Control (SOC) Audit report before working with a provider. This examination verifies that the tools, processes, and procedures have been tested and are effective. Some may desire a SOC 1 audit, while others will obtain more value from a SOC 2 examination or SOC 3 audit. Whatever the desired level of assurance, it is important to work with an experienced provider to drive the process.

Utah SOC 2 Experience

Barnes Dennig provides SOC audits to Utah area companies in a variety of industries. Typically, we work with those that use or store sensitive financial information including data centers, loan servicing companies, medical claims processors, and payroll companies. Our diverse range of experience permits us to understand the company more easily, it is risk profile, areas of exposure, and important testing variables. The result is a SOC audit with more value because our seasoned team knows the right questions to ask and the importance of following best practices.

SOC Reporting FAQ

Have questions about SOC reporting? We’ve got answers

Download our FAQ

Utah SOC Audits

Barnes Dennig offers a number of SOC Audit services including:

SOC 1 Audits – The reports assure your clients that internal controls are secure. These audits focus on your organization’s business processes and IT controls. Any that are likely to be relevant to an audit of your customers’ financial statements are documented in the report. There are two types of SOC reports: Type 1 reports test the design of your organization’s controls. Type 2 reports test whether your controls are properly designed and implemented.
SOC 2 Audits – These reports concentrate on five Trust Services Principles: security, availability, processing integrity, confidentiality, and privacy. SOC 2’s requirements allow data providers to decide how they want to meet the criteria. This flexibility means SOC 2 reports are unique to each company.
SOC 3 Audits – Similar to SOC 2 reports in that they examine the same five Trust Services Principles, the results of the audit are publicly available.
SOC Readiness Assessments – These assessments provide an overview of your organization’s preparedness for a successful SOC 1, 2, 3, or Cybersecurity audit.

Serving Clients Remotely

Barnes Dennig works with companies, including healthtech, in Utah and across the U.S., and Canada providing SOC 1 reports, SOC 2 reports, and SOC 3 reports. To demonstrate this, we have provided a map of client locations.

Contact our UTah SOC Auditors

Barnes Dennig provides SOC 1, SOC 2, SOC 3 audits and readiness assessments to companies in Utah. If you are interested in learning how we can assist your organization, complete the form below or call us at 800-430-4731 for assistance.

SOC Report FAQs

What are SOC reports?

A System and Organization Controls (SOC) report is a verifiable auditing report performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA).

What are the Current Standards for Attestation Engagements?

The Statement on Auditing Standards (SASs) primarily provides guidance on reporting on an audit of financial statements, whereas the Statement on Standards for Attestation Engagements (SSAEs) primarily provides guidance on reporting on other subject matter.

In 2010, the AICPA introduced SSAE 16, which replaced SAS 70. It was designed to closely mirror international accounting standards. In 2016, the AICPA introduced SSAE 18, which replaced SSAE 16. The intent was to standardize attestation criteria. And then in 2022, SSAE 21 replaced SSAE 18.

What are the two types of SOC reports?

A SOC 1 report is designed to address controls over financial reporting. Providing services that impact the financial statements of clients or customers typically results in the need for a SOC 1 report. Common examples include payroll processors and collections agencies. It’s also possible to do a SOC 1 report that simply covers IT General Controls.

A SOC 2 report is focused on a control environment built on controls that that meet the relevant SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality and/or privacy).

To complicate things, each type of report can be completed as a Type 1 or a Type 2. A Type 1 report is controls in place at a specific point in time where the auditor opines on the design and implementation of the controls. A Type 2 report is controls in place over a period of time where the auditor opines on the operating effectiveness of the controls over that period of time in addition to design and implementation of the controls.

If there are only two types of SOC reports, then what’s a SOC 3 report?

The SOC 3 is a derivative of the SOC 2 report. SOC 3 reports are general purpose reports that can be posted online for public consumption. It’s a summary level report that leaves out a lot of the detail from the SOC 2 report.

What are the components of a SOC 1 report?

A SOC 1 report is built around the system description and related control objectives.

System Description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Control Objectives – The control objectives outlined in this SOC 1 report provide a clear and structured framework for assessing whether the control procedures were designed and operating effectively to achieve their intended purpose. These objectives encompass IT General Controls, which ensure the security and integrity of the system, as well as controls related to the processes of data input, processing within the system, and the exportation or reporting of data from the system

What are the components of a SOC 2 report?

A SOC 2 report is built around the system description and related control procedures supporting the in-scope Trust Services Criteria.

System description – narrative component to provide users with a comprehensive understanding of the service organization’s systems, processes, and controls.

Trust Services Criteria – The AICPA establishes the Trust Services Criteria. The Service Organization selects the Trust Services Criteria that are in scope. This is typically driven by conversations with customers and reviews of contracts with customers.

Originally, these five attributes of a system used to be known as principles. A few years ago, the name “Trust Services Principles” was changed to “Trust Services Criteria.”

The five categories didn’t change, and the same basic framework is in place for assessing the controls. Within the five categories, there are individual criteria. They are more like requirements. The things you put in place to meet the requirements are the controls.

Control procedures – the controls identified by the Service Organization to support the Service Organization having appropriate controls to meet the selected Trust Services Criteria.

What are the 5 Trust Services Criteria in a SOC 2 report, and what do they cover?

Security – addresses controls related to protecting the system and data from unauthorized access, damage, or theft.
Availability – ensures that the system and services are available as agreed upon in service level agreements.
Processing Integrity – ensures that system processing is accurate, complete, and timely.
Confidentiality – maintaining the confidentiality of sensitive data.
Privacy – the collection, use, retention, disclosure, and disposal of personal information to ensure alignment with data protection laws and regulations.

When is SOC 2 more appropriate than a SOC for Cybersecurity?

SOC 2 is a voluntary compliance standard for service organizations that specifies organizations should manage customer data based on the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 is increasingly valuable in business-to-business compliance and assurance.

It continues to expand in usefulness as a tool to meet other requirement standards (e.g., GDPR, HIPAA & PCI DSS) that require detailed oversight of third-party vendors.

We’re seeing many businesses expand from a basic SOC 2 Security report to SOC 2+, which can include additional criteria or frameworks important to your customers. Expanding on the basic SOC 2 demonstrates that you’re expanding your control environment and better protecting your clients.

Learn more about SOC 2.

What are the common SOC 2+ frameworks?

The AICPA provides mappings for the following frameworks:

ISO 27001
NIST CSF
NIST 800-53
GDPR
CSA’s Cloud Controls Matrix
ISACA Blockchain Framework

Other frameworks and mappings exist in practice, so the list above is not comprehensive. For example, Microsoft includes German C5 (Cloud Computing Compliance Controls Catalogue) in its report.

While it may take more time, resources, and judgment, it’s possible to include other frameworks in a SOC 2+ that haven’t been mapped by the AICPA.

When is SOC for Cybersecurity more appropriate than a SOC 2 report?

The SOC for Cybersecurity examination provides an independent, entity-wide assessment of your organization’s cybersecurity risk management program. It’s especially useful for larger organizations that need a measurement of their own cybersecurity posture.

It also helps to quantify risk over time for board members who want to know if cybersecurity risks are being adequately mitigated. It’s a great way to measure whether very specific controls have improved from year to year.

Does the SOC guide require a report to cover a specified minimum period?

SOC Type 2 is a period-of-time report, but the SOC guide does not prescribe a minimum period of coverage for a SOC 2 report.

Practitioners need to use professional judgment in determining whether the report covers a sufficient period.

The SOC guide gives an example of a service organization that wishes to engage a service auditor to perform a type 2 engagement for a period of fewer than two months. In essence, it states that the service auditor should consider whether a report covering that period will be useful to users – particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis.

About Utah (UT)

State of Utah The Utah business community has undergone significant growth and transformation over the years, making it a prominent player in the national and global economy. This narrative provides an overview of the key factors that have shaped and continue to define the Utah business landscape.

Utah’s business community is characterized by its unique blend of innovation, entrepreneurship, and a strong work ethic. The state has a history of fostering a business-friendly environment with low taxes, minimal regulations, and a skilled workforce. This has attracted a diverse range of industries, from technology and healthcare to manufacturing and outdoor recreation.

One of the driving forces behind Utah’s economic success is its thriving technology sector, often referred to as the “Silicon Slopes.” The state has become a hub for tech startups and established companies alike, with Salt Lake City and its surrounding areas hosting numerous tech headquarters and innovation centers. Companies like Adobe, Qualtrics, and Overstock.com have established a significant presence in Utah, contributing to the region’s reputation as a tech powerhouse.

National Reach

Barnes Dennig provides SOC 2 reports to companies in Arkansas (AR), Arizona (AZ), California (CA ), Colorado (CO), Delaware (DE), Florida (FL), Idaho (ID), Illinois (IL), Iowa (IA), Kansas (KS), Minnesota (MN), Nebraska (NE), Nevada(NV), New Jersey (NJ), New Mexico (NM), North Carolina (NC), North Dakota (ND), Ohio (OH), Oklahoma (OK), Oregon (OR), South Carolina (SC), Texas (TX), Virginia (VA), Washington (WA), Wisconsin (WI), Wyoming (WY), Texas (TX) and Tennessee (TN).