In today’s world, it is standard operating practice for businesses to outsource certain tasks or functions to trusted third parties who can provide specialized services. RubinBrown has contributed to the evolution of SOC reporting. We are driven to help service organizations "audit once and report many."
Help is Here
RubinBrown is here to help you navigate efficiently and with leading edge insight.
RubinBrown can help with:
- The ability to report to many with one report
- Developing a simple process to select what reporting is best for you and your clients
- An easy approach to readiness assessments
- Timely and clear assessments, such as SOC 1, SOC 2, SOC 2+, SOC for cyber risk management or other independent assessments
Your Organization Receives
- Teams cognizant of your existing security and compliance demands
- Proven tools to ease analysis and testing
- Experience to enable streamlined SOC efforts
- Comfort for clients with SOC reporting
Which SOC is right for you?
The variety of SOC for service organizations offerings available include:
- SOC 1® — SOC for Service Organizations, ICFR: These reports are specifically designed to address controls at the service organization that are relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities and user auditors.
- SOC 2® — SOC for Service Organizations, Trust Services Criteria: These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners and regulators.
- SOC 3® — SOC for Service Organizations, Trust Services Criteria for General Use Report: Like SOC 2, these reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.
Learn more about SOC for cyber security examinations
So when do you need a SOC report?
- You’ve been asked to provide a client (or future client) background on your controls / security
- A client requires a SOC 1/SOC 2 or other SOC report
- A future client is requiring an independent assessment related to the Cloud Control Matrix, HITRUST, ISO 27001, NIST 800-53 or another regulation or framework
- Your security team is spending too much time filling out security questionnaires
- Your compliance office, finance or internal control groups are spending too much time filling out control questionnaires
RubinBrown's Audrey Katcher has over 20 years of IT audit and service organization control experience. She currently serves on the AICPA Information Technology Executive Committee and the AICPA Data Integrity Committee. Audrey's participation on these key AICPA committees provides clients the most current perspective the profession has on the new System and Organization Control (SOC) standards and audit guidelines.
RubinBrown's Rob Rudloff has more than 20 years of information security experience on security reviews, mitigation, strategy and architecture development. Rob is a Certified Information Systems Security Professional, Information Systems Security Management Professional, Certified Cloud Security Professional and a Project Management Professional.
RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization.
RubinBrown is a PCAOB registered accounting firm with an experienced team who have led and performed many SOC engagements.