The outsourcing of core and non-core functions to third party service providers is helping businesses increase their efficiency and profitability. With this, the growing concern over enterprise risks that are difficult to identify, manage, and monitor has prompted organizations to require third parties provide them with Service Organization Control (SOC 1, 2, or 3) reports. These reports are intended to help organizations understand the internal controls present at third party service providers.
Tevora’s consultants provide extensive security knowledge and have the ability to test against both strategic and technical concepts to ensure your SOC report is defensible and accurate.
SOC 1 reports follow the guidance from AICPA’s statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16). They focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are potentially used in an audit of a user entity’s financial statements.
SOC 2 reports follow AT Section 101. They address controls at a service organization related to the Trust Service Principles (TSPs) of security, availability, processing integrity, confidentiality, and/or privacy.
SOC 3 reports address the same subject matter as SOC 2 reports but the use of these reports is not restricted. These reports may be used by anyone and can be posted on a website under a seal. To allow for public use the report is typically redacted to remove any proprietary and/or confidential information.