Successful completion of a SOC report provides an understanding of the internal controls to help assess and address risks associated with outsourced services.
Engaging a knowledgeable service partner is critical if your staff members aren’t experienced in extensive compliance efforts, or in the SOC process itself. How a service provider delivers its services is critical to helping to ensure a successful project outcome and building a sound business relationship.
As a firm that issues hundreds of SOC reports annually, Grant Thornton can help you navigate the engagement process and assist your organization in:
Types of SOC Reports
- Understanding the new Attestation Standards (SSAE 18);
- Determining which attestation report is the right fit for your organization;
- Identifying challenges and potential roadblocks early on in the process;
- Conducting a gap and risk analysis for organizations undergoing a SOC report for the first time; and
- Designing a customized process to help your organization benchmark and compare internal controls against industry best practices.
— These reports are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
— These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
— These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, and/or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Since they are general use reports, SOC 3® reports can be freely distributed.
SOC 2 + Additional Subject Matter
— A service organization may request that the service auditor’s report address either criteria in addition to the applicable trust services criteria or additional subject matter, such as HITRUST or NIST, related to the service organization’s services using additional suitable criteria related to that subject matter, or both.
SOC for Cybersecurity
— The AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new SOC for cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program. This information can help senior management, Boards of Directors, analysts, investors, and business partners gain a better understanding of organizations' efforts.
Case Study: Fortune 500 Company with 100+ SOC Reports
New SOC 2, SOC 3 Trust Services Criteria