Navigate Up
Sign In
Bookmark and Share

Service Organization Control (SOC) Examinations

Which Service Organization Control (SOC) examination fits your security needs?

Changes in technology and regulations are forcing businesses that outsource work to demand more information and assurance from their service providers.  They must be able to demonstrate that their chosen service providers can ensure the security, availability, and processing integrity of their systems and, in some cases, the confidentiality and privacy of the information the systems process. 

How can the service providers give, and the users get, the assurances they need?  Plante Moran information security consultants can perform a Service Organization Control (SOC) examination.  They will follow guidelines developed by the American Institute of Certified Public Accountants (AICPA) and objectively evaluate the design and operating effectiveness of internal controls.

Selecting the SOC report that fits your needs

There are three SOC report options. Plante Moran can help service providers and their users determine which report best fits their needs to provide the transparency required to ensure the
trust of stakeholders including shareholders, vendors, customers, and the public at large as well as meet the requirements of regulators.

SOC 1 reports are performed in accordance with the Statement of Standards for Attestation Engagements (SSAE 16) and focus solely on controls at the service organization that are relevant
to the audit of a user’s financial statement audit.

SOC 2 reports are based on the AICPA’s Trust Services Principles and Criteria, and address one or more of the following key system attributes: security, availability, processing integrity, confidentiality, and privacy.

There are two types of reports for both SOC 1 and SOC 2 examinations. A Type 1 report provides an opinion on the design of controls as of a point in time.  A Type 2 report provides an opinion on the design of controls and their operating effectiveness over a period of time.

SOC 3 reports use the same Trust Services Principles and Criteria as SOC 2. The difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report is for restricted use because it
contains a detailed description of the service organization’s systems, controls in place, and tests of controls performed by the service auditor. A SOC 3 report is for general use and only provides
assurance that the service organization’s systems achieved the Trust Services Principles set up by the AICPA. Like SOC 2, SOC 3 reports can address one or more of the five Trust Services
Principles and Criteria.

Logos are available for SOC 1, 2, and 3 reports for service organizations to place on their websites.

Plante Moran information security consultants can also perform a readiness assessment for SOC 1, 2, or 3 to determine if the service provider has the appropriate controls in place to successfully complete a SOC examination.

In brief:

SOC 1 (aka SSAE 16)

  • Reports on controls for services that impact financial reporting
  • Type 1 & Type 2 reports
  • Restricted to use by users and user auditors

SOC 2

  • Reports on controls for services that impact security, availability, processing integrity, confidentiality,or privacy
  • Type 1 & Type 2 reports
  • Restricted to use by users, user auditors, and prospective user entities.

 

SOC 3

  • Reports on controls for services that impact security, availability, processing integrity, confidentiality, or privacy
  • A general use report

 

"In addition to the audit and financial work, Plante & Moran has also provided us with technology services. Their knowledge of the issues and expertise in selecting and negotiating contracts with software vendors has been invaluable to us. It’s extremely beneficial to have such expertise from the same firm that can serve multiple needs of our hospital."

Tim Johnson, CFO
Eaton Rapids Medical Center