Is your report designed to target

financial reporting and/or auditors?

Is your report designed to target service provided

in the cloud? And/or target security?

Is your report designed to target

marketing needs?

CRI can help you monitor your internal “control towers” to assess traffic patterns and protect your clients’ data.

SOC-guide-downloadIf your organization provides services for other entities, then it is also known as a “service organization.” As cybersecurity concerns fly to new heights, your clients – also called “user entities” – expect greater assurance that your internal controls are working properly and protecting their data from any potential risks. This requirement is especially true if your services involve sensitive information, such as electronic patient health data or financial transactions. Your clients may request this assurance in the form of a service organization controls (SOC) report. But what is a SOC report?

The three primary types of SOC reports – SOC 1, SOC 2, and SOC 3 – are objective evaluations of how well your organization’s internal “control towers” are structured to process information and/or safeguard your clients’ data. Depending on the level of assurance your clients demand, the SOC report they need from you may describe how your controls impact financial reporting (SOC 1) or how closely your controls abide by the American Institute of Certified Public Accountants’ (AICPA’s) Trust Services Principles (SOC 2 or SOC 3). Determining which SOC report is right for your users’ needs may sometimes feel like you are flying in circles, but CRI can help you land on the right SOC reporting option.

Our SOC reporting team has extensive knowledge of the common types of service organizations and the user entities that work with them. This expertise allows us to both guide you to the proper type(s) of report(s) and test your internal controls efficiently and thoroughly. Because our team produces a high volume of quality SOC reports annually across a variety of industries, we know how to address your unique situation. Buckle up, put your tray table upright and in locked position, and take off with us on a journey through an efficient SOC reporting process that meets your – and your users’ – needs.

Steve E. Driz, VP, Customer Experience/CISO, OutsideIQ
“Recommended by the hosting partner, Auditwerx helped us secure a SOC 2 Type 1 and Type 2 attestation in under four months. Both operations and auditing teams executed the engagement flawlessly, on time, and on budget. The Auditwerx team provided us with the necessary guidance, tools, and knowledge, allowing us to improve the overall process concerning both systems' security and privacy, as well as the support to implement better controls that are a hard requirement in our sector. Auditors were extremely courteous and patience with a great sense of urgency when it was needed the most. We would highly recommend Auditwerx's services to organizations of all sizes and requirement complexities.”

Featured CRInsight

Which SOC Report Best Fits Your Needs?

Learn More About Auditwerx

CRI portfolio company and provider of 200+ SOC reports annually

Translating the AICPA Trust Service Principles that Apply to the SOC 2 Report

Straight Talk

Translating technical jargon into a plain English “text.”
Our company delivers online training to hospital employees, and those hospitals depend on us to protect their employees’ training records. Plus, they must be able to access our system at all times since they may need to produce reports that verify their employees’ training for regulators during an on-site visit. What type of SOC report do I need?
OPERATIONS MANAGER
Your hospital clients rely on you for security of their data, as well as the availability—which is one of the AICPA’s Trust Service Principles—of your online platform. The combination of security and availability means that you require a SOC 2 report.
CRI
That’s what I thought, but I wanted to verify before beginning the process. Am I able to utilize that report for marketing purposes so that other potential clients know that we’ve completed the SOC 2 reporting process?
OPERATIONS MANAGER
A SOC 3 report is available for external marketing purposes, and you can request both a SOC 2 and SOC 3 report so that you are able to utilize it publically.
CRI
Great—that’s exactly what I’d like to do. How do I get started?
OPERATIONS MANAGER
Let’s set a meeting for this week to begin the process.
CRI

Solutions Simplified

Down-to-earth descriptions of our services.
SOC 1

A SOC 1 report – prepared according to  the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements (SSAE) No. 16 – describes a service organization’s internal controls over financial reporting (ICFR). Two types of SOC 1 reports exist:

  1. SOC 1, Type 1 Report. It informs the organization’s clients (users) and users’ accountants that its internal controls are accurately described, in place, and structured to accomplish its financial control objectives.
  2. SOC 1, Type 2 Report. This report goes further than the Type 1 Report and informs the reader about the operating effectiveness of the controls during a defined period. The Type 2 report also thoroughly describes the auditors’ procedures and results of the verification tests.

SOC 2

A SOC 2, Type 1 report provides details on how well a service organization’s descriptions of its controls abides by one or a combination of the American Institute of Certified Public Accountants’ (AICPA’s) Trust Services Principles:

Security

Availability

Processing

Integrity

Confidentiality

Privacy

The SOC 2, Type 2 report describes how well the operations of the controls reflect these principles. Both types of SOC 2 reports are only for internal use.

SOC 3

A SOC 3 report, also commonly called a SOC 3 certification, is similar to a SOC 2 report since it also provides information regarding how well a service organization’s controls operate compared to the American Institute of Certified Public Accountants’ (AICPA’s) Trust Services Principles:

Security

Availability

Processing

Integrity

Confidentiality

Privacy

The SOC 3 report is less detailed than the SOC 2 report to enable a service organization to use this report for external marketing purposes.