SOC 1 and SOC 2 Audits: End to End Consulting and Attestation
Riskpro's SOC 2 Readiness and Attestation Services
Riskpro's unique approach to SOC engagement is sustained value addition to your business. Our readiness services enable you to remediate the control gaps in an efficient manner that not only help to get SOC 2 reports signed, but also improve productivity and efficiency in the business. That to us is a greater value. Regular certifications and engagement means that your business processes are constantly being evolved and updated thereby bringing in intrinsic business value. Riskpro’s own range of complimentary services, best practices, resources and networking ensure to deliver the best services cost effectively in preparing, auditing and maintaining the system ‘always ready’ for attestation, compliance, and benchmarking. 
Need for SOC 1 / SOC 2 / SOC 3 Reporting
- The SOC 2 audit report allows the service organization to provide its customers with independent third-party verification about the state of the internal controls governing the integrity, reliability, effectiveness, and security of the processing services provided to user organizations.
- The SOC 2 Attestation Report can be used by user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures.
- Undergoing the SOC 2 Attestation distinguishes the service organization from its competitors.
- A SOC 2 audit can improve or sustain business relations between service providers and user organizations. It may be also viable to pass the costs of fees paid for the SOC Attestation to the user organization. Upgradation from old standard(SAS 70) to new SSAE 18 Standard. Use of SOC 2 Audit Reports.
- More confidence in the Services by the customers.
- Allows the service organization to meet contractual obligations.
- Provide additional comfort on risk, systems and controls to clients and business partners.
- Provide assurance on the Internal Controls and meeting objectives in case of adverse situations.
What makes us different
- We have an inhouse CPA who can sign off on the SOC 2 reports.
- We have a team of internal control experts who are currently working on a number of SOC engagements.
- As a firm, we are all about risk and controls.
- More than 650+ SOC audits completed.
Contact for More Information
Alternatively, for more information, please email manoj.jain@riskpro.in
Indepth explanation of SSAE 18
What do the following three terms have in common? • SSAE 18 • SAS 70 • SOC 1, SOC2 and SOC3 Reports The simple answer is that all these terms are inter linked in some way and are assurances over outsourced operations. In other words a SAS 70 report, a SSAE16 auditor report etc give assurance to the user of the audit report that the internal controls at the service provider are effective if the report is unqualified. With increased globalization, outsourcing seems to be the business mantra. Companies outsource systems, business processes and data processing. All outsourcing is done with an assumption that the operational risk at the service provider will be effectively managed and that the service provider is able to build a robust internal control framework. In doing so, user organisation (the company that outsources the activities) needs to gain comfort that the data, processes, inputs and outputs at the service provider location are effectively handled and does not expose user organisation to any reputation or other risks. Till recently, this was done using SAS 70 reports [Statement on Auditing Standards 70]. This gave organisation a broad comfort over the controls at service provider. However, the biggest weakness of SAS 70 reporting was its main focus was on risks relating to internal control over financial reporting. But what about risks such as give below. 1. Systems are not available at service provide to process information 2. Data confidentially of client/customer information 3. What type of security is available so that information assets are protected. Do service providers have adequate controls and policies in place to address controls that are beyond Financial reporting related controls ie operational controls. This main gap resulted in SAS 70 been replaced by another set of reports called SOC reports. SOC Reports and their meaning Let's turn to what SOC means and what are these reports. Need for a CPA review/audit As per AICPA website, "A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers." For this purpose and to address varying requirement of the engagement, AICPA has introduced SERIVICE ORGANISATION CONTROL (SOC)Reports. There are three types of SOC reports and you guessed it right. SOC1,SOC2 and SOC3 given below.
|
SOC1 |
SOC2 |
SOC3 |
|
Financial Controls focus |
Operational Controls focus |
|
|
Control review focus is those affecting financial statements |
Controls that may affect Security, availability, processing integrity confidentiality, or privacy |
Controls that may affect Security, availability, processing integrity confidentiality, or privacy |
|
SOC 1 is the famous SSAE 18 reports because they fall under the Statements on Standards for Attestation Engagements 16. |
They fall under the AT 101 Attestation engagement |
They fall under the AT 101 Attestation engagement |
|
Description of service organization’s system. |
Description of service organization’s system. |
CPA’s opinion on whether the entity maintained effective controls over its system. |
|
Type 1 Report - A point in time description of the controls in place. (Design effectiveness) Type 2 Report - Review of controls over a period of time, usually 12 months and also tests the operating effectiveness of the controls (Operating effectiveness |
Type 1 Report - A point in time description of the controls in place. (Design effectiveness) Type 2 Report - Review of controls over a period of time, usually 12 months and also tests the operating effectiveness of the controls (Operating effectiveness |
SOC 3 reporting is for a larger audience and gives a user greater comfort on the level of controls relating to the Trust Services Principles |
From the table above, we see that SSAE 18 has two types of reports. 1. A Type 1 report is one in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the design effectiveness of the controls. It is merely saying that the organisation has built in controls to manage and process information in manner that will ensure that the user organization does not have material misstatement of its financial statements. An example can make it clear. Let us suppose the service provider is processing Accounts Payable invoices. Then an excel error at the outsourced service provider may result in the provider understating liability (AP balances) because the updated excel sheet was not used for reporting to User organisation and 100 invoices that were received, recorded but wrongly summarized and reported. So, the management description of controls will be that every reporting is reviewed by Supervisor and Unit Head before releasing it to user organisation. Hence, in Type 1, the CPA merely states that this control is good enough or not in term of design. 2. A type 2 report is one in which in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system, opinion on the design effectiveness of the controls AND on the operating effectiveness of these controls. So, type 3 report can only be issued once the controls have been tested for their operating effectiveness. Taking the same example given above, merely saying that I am going to review reports before submitting to user organisation does not mean that it is actually reviewed. This is where operating effectiveness of controls comes into picture. Through testing of controls, service auditor gives an assurance that there are adequate controls and also these controls are operating effectively. Almost like Sox 404 review of the service provider.
SOC 2 Reporting
The purpose of the SOC 2 report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organisation can derive from the system that the service organization has deployed that effectively mitigate operational and compliance risks. SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are: • Security: The system is protected against unauthorized access (both physical and logical). • Availability: The system is available for operation and use as committed or agreed. for reducing assessment of control risk below maximum • Processing integrity: System processing is complete, accurate, timely, and authorized. • Confidentiality: Information designated as confidential is protected as committed or agreed. • Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) An example of service provider requiring a SOC 2 reporting would be a provider providing medical transcription services. In this case, the financial reporting controls are not really so much of a concern, because little or no financial data is involved. Rather, the data confidentiality is a big concern and hence user auditor would be concerned about these compliance issues.
More Information and Free Assessment
Call us at 9833767114 or email at manoj.jain@riskpro.in if you would like to better understand what SSAE, SOC1 and SOC 2 are all about. We have CPAs in our team who can spend sufficient time to clarify all your doubts. We can even carry out a quick diagnostic, free assessment to determine which audit you need and what are the key challenges for you. To learn more about SSAE 18, SOC 1, SOC 2 reporting, please contact manoj.jain@riskpro.in or call at 98337 67114.
