About SOC2 (AT101) Report
A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing Trust Services Principles, Criteria and Illustrations (SysTrust and WebTrust). This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type I or Type II audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting the purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality or privacy. Organizations asked to provide an SSAE 16, but do not have an impact on their client’s financial reporting should select this reporting option.
SOC 2 reporting standard was created by the AICPA to fill the gap for organizations that were being requested to have a SAS 70 (now SSAE 16) but did not officially meet the criteria of what the SAS 70/SSAE 16 standards required. Until now there was really only one recognizable audit due to SAS 70 being the defacto standard audit for all service organizations. When SAS 70 was replaced by SSAE 16 on June 15, 2011, the AICPA strategically created three different SOC reporting options to more closely align service organizations third party compliance. Now companies can obtain the correct and recognizable third party assurance report.
Who Should Obtain a SOC 2 Report?
As a service provider, you need to guarantee your customers that your IT controls are aligned, designed and applied effectively to its control objectives. Also, any organization that wants to put their information systems up against best practices and those who may use this report to ensure that they have controls to provide security, confidentiality of stored information, processing integrity of transactions, system availability and privacy. Many organizations are good candidates for a SOC 2 report and we provide services not limited to the following industries:
- Hosting providers (web hosting, e-mail hosting, document storage, backup service providers, cloud computing, dedicated server, network administrators, and more)
- Production printing (direct mail marketers, print and mail providers)
- Software as a Service (SaaS)
- Application Service Providers (ASP)
- Health care service providers
- Government service providers
- And more….
Note: if you are a service provider and may potentially impact the control environment of one or more of your clients’ financial reporting activities you should consider a SOC1 ( SSAE 16 ) report.
How are We Qualified to Provide a SOC 2 Report?
ControlCase has partnered with a network of CPA firms authorized to perform SOC 2 engagements. All of our CPA firms are Information Technology experts, providing years of information technology consulting experience and a proven track record with SOC audits. Our auditors have designations that include, but are not limited to Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Management (CISM), Qualified Security Assessor (QSA) and more.
Why Choose ControlCase for SOC 2?
The combination of a multi-audit technology platform, world class audit and certification experts, and network of qualified CPA partners makes ControlCase the most flexible and adaptable audit firm in the world. Our clients span five of the seven continents and we provide a global base of experience while maintaining the right adaptable structure to meet our ever changing client demands.
We do all this and deliver on the promise of:
- Competitive and dynamic fee and invoicing structures
- Ongoing regulation notifications and customer support
- Secure technology project facilitators
- High quality professionals
SOC 2 Criteria?
The difference between a Trust Services (SOC 3 Report) and the SOC 2 is the format of the deliverable. SOC 2 reports are virtually identical to SOC 1 reporting and provides detail reports and testing procedures for your third parties to evaluate. SOC 3 reporting is very limited reporting and only provide enough information to understand the scope and results of auditing. The need of SOC 1 and 2 reporting is not provided in the SOC 3 options.