It is becoming increasingly commonplace for businesses to outsource aspects of their operations to a trusted third party. At RubinBrown, our team of professionals understand the value that System and Organization Controls (SOC) reports bring to both service organizations and user entities in today's marketplace. Our team is experienced in helping service organizations navigate controls objectives and/or the trust services criteria of SOC 1® and SOC 2® examinations and we are driven to help service organizations "audit once and report many" to help relieve audit fatigue. The graphic below depicts the three main phases of the RubinBrown SOC examination project lifecycle.
Help is Here
RubinBrown is here to help you navigate the nuances of SOC reporting. Ways RubinBrown can help:
- Seamlessly work remotely.
- Evaluate the various SOC report types and help you select which report best suits your needs as a growing service organization and the needs of your customers.
- Explain the time and resource commitments required to obtain one of the SOC reports noted below.
- Provide a hands on risk assessment process lead by an experienced member of our SOC team to help you understand the requirements of each control objective and/or trust services criteria and what that means for your business.
- Reduce the ongoing audit burden through establishing open communication, clear expectations, and transparent project tracking tools.
Your Organization Receives
- Cost and time efficiencies as a result of working with a team who works on SOC examinations day in and day out.
- A customized way to link your organization's business to relevant control activities.
- A quality deliverable that your organization will be proud to present to customers and/or prospects.
Which SOC is right for you?
The variety of SOC reports for service organizations offerings available include:
- SOC 1® — SOC for Service Organizations, ICFR: These reports are specifically designed to address controls at the service organization that are relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities and user auditors.
- SOC 2® — SOC for Service Organizations, Trust Services Criteria: These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners and regulators.
- SOC 3® — SOC for Service Organizations, Trust Services Criteria for General Use Report: Like SOC 2®, these reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.
The following SOC reports are available to entities beyond just service organizations:
- SOC for Cybersecurity: These examinations provide an independent, entity-wide assessment of an organization’s cybersecurity risk management program. Using this report, organizations can communicate pertinent information regarding their cybersecurity risk-management efforts. In addition, the report can be used to educate stakeholders about the systems, process and controls the organization has in place to detect, prevent and respond to breaches.
- SOC for Supply Chain: These examinations report on controls over a manufacturing, production or distribution system and communicate to stakeholders relevant information about the entity’s supply chain risk-management efforts, processes, and controls in place to detect, prevent and respond to supply chain risks.
So when do you need a SOC report?
- You’ve been asked to provide a client (or future client) a report on your controls / security.
- A client requires a SOC 1®, SOC 2® or other SOC report.
- A future client is requiring an independent assessment related to the Cloud Control Matrix, HITRUST, ISO 27001, NIST 800-53 or another regulation or framework and you would like to report under one framework.
- Your security team is spending too much time filling out security questionnaires.
- Your compliance office, finance, legal or internal control/security groups are spending too much time filling out control questionnaires.
Webinar & Podcast Resources:
Information Technology and the Audit Committee
During this panel by AICPA member Karen Percent, and joined by members David Wood, Torpey White, and Audrey Katcher, Information Technology and the role it plays in Audit Governance is discussed. The panel engages in a lively conversation regarding why
audit committees should pay attention to information technology and also
what audit committee members are asking audit partners about
information technology. The group deliberates the role technology plays
in risk assessment and how to best explain complex technology topics to
management. The panel finishes up with a discussion of cybersecurity
This panel (David Wood, Audrey Katcher, Torpey White, and Brian Thomas) discusses
the SOC 2® updates in this podcast. The panel discusses why the
SOC 2® guide seems to be always changing, the major differences between
the 2013 guide and 2015 guide, and how to select a firm for SOC
2®. The panel delves into issues such as opinions, and emphasis of a matter, and how SOC 2® can help “audit once – report many."
Trust Services Principles
The panel (David Wood, Audrey Katcher, Torpey White, and Brian Thomas) discusses
the changes to the Trust Services Principles (TSP). The panel discusses the changes between the Trust Services Principles & Criteria (TSCP) that was released in 2014 and the TSP that was released in 2017. They also discuss whether or not
every Service Organization must include privacy in their SOC 2® audit
- CSA Security Update, CSA STAR + SOC2 - From Readiness to Attestation Listen in to this podcast featuring interviewee Audrey Katcher for her answers to CSA's questions and more regarding the STAR Attestation and the assessment process.
- RubinBrown SOCcer Series, Blog Entry 1 Join RubinBrown's Audrey Katcher and Jennifer Zanone as they discuss System and Organization Controls reporting, all the options available, and help understand how these reports can work in your organization's favor.
RubinBrown's Audrey Katcher has over 20 years of IT audit and service organization control experience. She currently serves on various AICPA SOC and technology working groups and task forces. Audrey's participation on these key AICPA committees provides clients the most current perspective the profession has on the new SOC standards and audit guidelines.
RubinBrown's Rob Rudloff has more than 20 years of information security experience on security reviews, mitigation, strategy and architecture development. Rob is a Certified Information Systems Security Professional, Information Systems Security Management Professional, Certified Cloud Security Professional and a Project Management Professional.
RubinBrown's Christine Figge has over 15 years of public accounting and consulting experience. Christine offers a unique perspective to the SOC 1 process since she has used the reports as an auditor, assisted management in developing their description and controls identification, and performed the attestation services related to issuing SOC reports for clients.
RubinBrown's Micah Wenz has 18 years of professional experience
and includes 14 years of audit and consulting across mulitple operating
systems, database management systems and enterprise resource planning
packages. Micah specializes in general information technology (IT) risk
assessments and controls reviews for public and non-public entities and
RubinBrown's Jennifer Zanone is an experienced compliance professional with a focus on IT risk, audit and general controls. She has managed SOC readiness assessments and IT controls testing for various clients. Jennifer has over 13 years of experience in IT consulting.
RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization. RubinBrown is a PCAOB registered accounting firm with an experienced team who have led and performed many SOC engagements.