System & Organization Controls (SOC) Services
We strive to bring a "common sense" approach to delivering assurance services.
For organizations undergoing their first system and organization controls (SOC) audit, it is important to engage an organization that cannot only draw upon past experiences as a service auditor, but can also collaborate with your team in the pre-audit preparation phase. This makes it easier for the goals of the ultimate users of the SOC report to be realized.
Trust is essential to building successful relationships between entities and their third-party business associates.
To build and maintain confidence in the systems and controls that protect sensitive data, users of service organizations are calling for SOC reporting.
SOC Examinations
KLR performs the following SOC examinations which are outlined below:
- A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management. Within SOC 1 reporting, there are Type 1 and Type 2 reports. The Type 1 report identifies the controls at a service organization but does not perform any testing to determine if the controls are operating effectively. Type 2 reports identify the controls and report on the operating effectiveness of these controls based on the testing performed.
- A SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles (security, availability, processing integrity, confidentiality and privacy). The SOC 2 report can cover any or all of these principles. A SOC 2 report is typically provided to customers to give them comfort over the controls surrounding the trust service principles. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available within SOC 2 reporting.
- A SOC 3 report involves the same procedures as a SOC 2 Type 2 report without providing the details on the controls. This report is typically used for marketing purposes and there are no restrictions on whom this report can be provided.
SOC Readiness Assessments
Organizations are often unclear of what a SOC engagement entails and whether such an examination will result in potentially significant findings. Such findings are not only an obvious concern to management but can also mean the difference in keeping an existing customer and/or securing new customers.
KLR will work with you by first performing a SOC Readiness Assessment to identify potential issues requiring remediation prior to undergoing the SOC examination. Depending upon the type of SOC report (1, 2 or 3), we will also provide advice as to the types of Control Objectives (SOC 1) that your users expect or the specific Trust Services Principles (SOC 2 or 3) that are appropriate based upon the services you provide.