It is becoming increasingly commonplace for businesses to outsource aspects of their operations to a trusted third party. At RubinBrown, our team of professionals understand the value that System and Organizational Control reports bring to both service organizations and user entities in today's marketplace. Our team is experienced in helping service organizations navigate controls objectives and/or the trust services criteria of SOC 1 and SOC 2 examinations and we are driven to help service organizations "audit once and report many" to help relieve audit fatigue. The graphic below depicts the three main phases of the RubinBrown SOC examination project lifecycle.
Help is Here
RubinBrown is here to help you navigate the nuances of SOC reporting. Ways RubinBrown can help:
- Evaluate the various SOC report types and help you select which report best suits your needs as a growing service organization and the needs of your customers.
- Explain the time and resource commitments required to obtain a SOC 1, 2, or 3 report and whether it is reasonable for your organization to meet the requests/requirements of prospects/customers
- Provide a hands on risk assessment process lead by an experienced member of our SOC team to help you understand the requirements of each control objective and/or trust services criteria and what that means for your business.
- Reduce the ongoing audit burden through establishing open communication, clear expectations, and transparent project tracking tools.
Your Organization Receives
- Cost and time efficiencies as a result of working with a team who works on SOC examinations day in and day out
- A customized way to link your organization's business to relevant control activities
- A quality deliverable that your organization will be proud to present to customers and/or prospects
Which SOC is right for you?
The variety of SOC for service organizations offerings available include:
- SOC 1® — SOC for Service Organizations, ICFR: These reports are specifically designed to address controls at the service organization that are relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities and user auditors.
- SOC 2® — SOC for Service Organizations, Trust Services Criteria: These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners and regulators.
- SOC 3® — SOC for Service Organizations, Trust Services Criteria for General Use Report: Like SOC 2, these reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.
Learn more about SOC for cyber security examinations
So when do you need a SOC report?
- You’ve been asked to provide a client (or future client) a report on your controls / security
- A client requires a SOC 1/SOC 2 or other SOC report
- A future client is requiring an independent assessment related to the Cloud Control Matrix, HITRUST, ISO 27001, NIST 800-53 or another regulation or framework
- Your security team is spending too much time filling out security questionnaires
- Your compliance office, finance or internal control groups are spending too much time filling out control questionnaires
- Information Technology and the Audit Committee
This panel by AICPA member Karen Percent, and joined by members David Wood, Torpey White, and Audrey Katcher,
Information Technology and the role it plays in Audit Governance is
discussed. The panel engages in a lively conversation regarding why
audit committees should pay attention to information technology and also
what audit committee members are asking audit partners about
information technology. The group deliberates the role technology plays
in risk assessment and how to best explain complex technology topics to
management. The panel finishes up with a discussion of cybersecurity
- SOC 2®
This panel (David Wood, Audrey Katcher, Torpey White, and Brian Thomas) discusses
the SOC 2 updates in this podcast. The panel discusses why the
SOC 2 guide seems to be always changing, the major differences between
the 2013 guide and new 2015 guide, and how to select a firm for SOC
2. The panel delves into issues such as opinions, and emphasis of a matter, and how SOC 2 can help “audit once – report many."
Trust Services Principles
The panel (David Wood, Audrey Katcher, Torpey White, and Brian Thomas) discusses
the recent changes to the Trust Services Principles (TSP). The panel
discusses the changes between the TSP that was released in 2014 and the
TSP that was just recently released. They also discuss whether or not
every Service Organization must include privacy in their SOC 2 audit
RubinBrown's Audrey Katcher has over 20 years of IT audit and service organization control experience. She currently serves on the AICPA Trust Information Integrity Task Force and Service Organization Control (SOC) Reporting Task Force. Audrey's participation on these key AICPA committees provides clients the most current perspective the profession has on the new System and Organization Control (SOC) standards and audit guidelines.
RubinBrown's Rob Rudloff has more than 20 years of information security experience on security reviews, mitigation, strategy and architecture development. Rob is a Certified Information Systems Security Professional, Information Systems Security Management Professional, Certified Cloud Security Professional and a Project Management Professional.
RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization.
RubinBrown is a PCAOB registered accounting firm with an experienced team who have led and performed many SOC engagements.