Establishing Credibility with Your Customers
If your business provides outsourced service functions like payroll, cloud computing, document management or many others, your customers may be looking for independent validation of your controls. This could be to satisfy their own Sarbanes-Oxley requirements or as part of their own internal due diligence on vendors. When many customers begin investigating your controls, you can satisfy multiple requests with a single SOC report.
High profile fraud cases come with heightened awareness of the need for internal controls. There is also increased concern over data protection as more companies offer cloud-based services in a Software as a Service (SAAS) model. We can provide an objective evaluation of how well information is protected so you can show your customers their data are in good hands.
If you have questions about SOC reports, what they mean and their impact on various stakeholders watch the video below, or check out our SOC FAQs.
We provide the following SOC services:
- SOC Readiness Assessment. The AICPA allows us to help you develop your report and take an “open book test” the first time through. We call this a readiness assessment, and it can help management ensure a smooth takeoff on your first SOC report. This is a specialty at Barnes Dennig. We work with you on your schedule, and can help identify new policies and procedures if needed to be able to pass your first SOC audit. We use an extraordinarily simple file sharing and project management tool to communicate specific details on each open item. This tool also provides project status graphs at the push of a button. It also can assign specific items to different people, making it easy for your team to collaborate with our team.
- SOC 1 Report or Standards for Attestation Engagements No. 18 (SSAE 18). There are two different SOC 1 reports that can be issued; both look at a service organization’s internal controls over financial reporting.
- SOC 2 Report. This is an evaluation of a service organization’s controls on data security, availability, processing integrity, confidentiality and privacy. These also may cover other established controls, the most common of which are from HITRUST and the Cloud Security Alliance. These are referred to as SOC 2+. The AICPA has worked closely with HITRUST to map the HITRUST CSF (Common Security Framework) for companies complying with HIPAA, and with the Cloud Security Alliance to map controls to the Cloud Controls Matrix.
|Governing Body||Controls Framework||Compliance Intent|
|AICPA||SOC 2 Security, Availability, Confidentiality, Processing Integrity and Privacy||General Third-party Vendors|
|Cloud Security Alliance||Cloud Control Matrix||SaaS Vendors|
- SOC 3 Report. Intended for public use, this is a simplified version of a SOC 2 report made available for publishing on the Internet. These are typically offered as an incremental report in addition to a SOC 2 report.
Service Organization Controls Experience: As certified public accountants (CPAs), we uniquely understand the SOC requirements developed by the American Institute of CPAs. In addition, our team of auditors was involved in Statement on Auditing Standards (SAS) 70 and SSAE 18 reporting before it evolved into SOC reporting, and we have professionals with significant experience establishing and testing internal controls and IT controls.
Ready to learn more? Contact us to ask about our SOC services and how a SOC report may be the seal of approval you need to show your customers that you have effective controls over their information.
- Banking: SOC Reports and PCI – Better Together
- Security Awareness: Tips to Avoid E-mail Compromise Scams
- PCI Compliance: 5 Ways to Save on the PCI DSS and SOC 2 Reporting Process
- NIST Risk Management Framework 2.0 – What You Need to Know
- HITRUST Common Security Framework Compliance – More than Just HIPAA
- SOC 2 vs. SOC for Cybersecurity