SOC 2 / 3
SOC 2 is the standard for reporting on security, availability, processing integrity, confidentiality, and privacy controls at a service organization, and many customers of service organizations now require SOC 2 reports prior to engaging in business with these organizations.
SOC 2 reports provide a consistent framework to report on your security controls. As a CPA firm with deep experience performing SOC reporting examinations, we are prepared to assist with issuing SOC 2 and SOC 3 reports. We can assist service organizations by providing a Type 1 or Type 2 SOC 2 report to help satisfy business partners and customers. Typically, organizations undergoing their initial SOC 2 report will perform a readiness assessment, followed by a Type 1 report, and then a Type 2 report annually thereafter.
SOC 2 reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of this data processed by these systems. These reports can play an important role in:
– Enterprise sales enablement
– Vendor management programs
– Internal corporate governance and risk management processes
– Regulatory oversight
A Type 1 report provides independent, third-party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified criteria, and expresses an opinion by the CPA firm as to the design of the controls at a point in time. A Type 1 report does not give assurance over a period of time, and is typically utilized for first-time issuers, as a precursor to a Type 2 report.
A Type 2 report provides independent, third-party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified criteria, and expresses an opinion by the CPA firm as to the design and operating effectiveness of the controls over a period of time, typically twelve months in duration. A Type 2 examination is performed annually, after which the corresponding report is issued. This is what is expected by customers, and their auditors, as the procedures are sufficient to replace the work they would otherwise have had to perform.
Additional subject matter from other frameworks may be included in a SOC 2+ report such as Health Information Trust Alliance (HITRUST), Health Insurance Portability and Accountability Act (HIPAA), and FINRA Cybersecurity. These frameworks can be combined with the SOC 2 framework to efficiently map and examine a single set of controls across frameworks in one report.
Formerly WebTrust and SysTrust reports, a SOC 3 report is a publicly displayable report built on the same foundation of Trust Services Criteria and is available for any service organization that issues an unqualified SOC 2 Type 2 report.
CISSP, CISAInformation Assurance and Security Lead
Bryan started with Cadence in 2016, and leads the Bay Area office. Bryan has spent his career working with technology companies of various sizes providing a variety of IT security and control compliance services including: SOC (Service Organization Control) reporting, ISO 27001 assessments, Internal Audit, External Audit and Risk Assessments. Bryan is a CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor).