SOC Audits | Briggs & Veselka Co.

SOC 1 and SOC 2 Audits

As a service provider, your clients need to know that your processes and security controls meet their standards in order to conduct business with you, which is both a competitive advantage to your service organization, and an assurance to your clients.

And as a company, you should know the strengths and weaknesses of your service providers to assure their systems and processes do not present risk to your financial reporting or data security.

What is a System and Organization Control (SOC) Audit?

SOC Audit Definition

Many service companies have the potential to impact their customers’ financial information and data integrity across their business functions. Auditors of company financials and data security protocols require assurance that the controls and processes of those service providers are in full compliance so that the integrity of company financials and their data are intact.

System Organization Control Audits, or SOC Audits, are an analysis and report given on a service organization’s controls of said financial information and data integrity. These audits provide assurance to auditors that the processes service organizations are utilizing will not have a negative impact on financial reporting or data integrity.

Who should have a SOC Audit?

Companies that should have a SOC Audit

Any service organization that houses or services confidential and private financial data should consider performing a SOC audit of their organization.

SaaS companies
Payment processors
Service providers to insurance brokers and banks
Data outsourcers

Additionally, those serving high-risk industries, including:

Financial services
Healthcare
Professional services

Learn how COVID-19 impacted the SOC audit landscape, during the pandemic and into the new normal.

What Types of SOC Audits Are Required?

SOC 1 ReportSOC 2 Report

SOC 1 Report

SOC 1 – TYPE 1 & 2

SOC 1 – Type 1 audits focus on a description of a service organization’s controls related to financial reporting and how relevant and effective those controls are designed to achieve the control objective at a point in time.
SOC 1 – Type 2 audits contain the same features of a Type 1, however it adds an opinion on the operating effectiveness of achieving the control objectives relevant to financial information integrity through that time period.

SOC 2 Report

The SOC 2 audit report focuses on data integrity and a service organization's controls that affect operations and compliance, as outlined by the AICPA’s Trust Service criteria in relation to 5 principles:

Security of data
Availability of data
Processing integrity
Confidentiality
Privacy

The SOC 2 report is a detailed account of the service auditor’s test of controls in place and the results of said controls related to data integrity. In addition to the Trust Service Criteria, SOC 2 audits can focus on cybersecurity as well.

SOC 2 – TYPE 1 and 2

SOC 2 – Type 1 audits test the Design of Controls related to security principles at a point in time.

SOC 2 – Type 2 audits contain the same features as a Type 1, however it adds an opinion on the operating effectiveness of achieving the control objectives of data integrity through that time period.

SOC Audits are organized into several types, including SOC 1 and SOC 2, under the auspices of the AICPA (American Institute of CPAs) under the SOC reporting platform.

What Type of SOC Audit Is Right for You?

SOC 1	SOC 2
Needed for: Financial Information Integrity To provide independent assurance of Internal Control over Financial Reporting (ICFR)	Needed for: Data Integrity To provide independent assurance for one or more of the following 5 principles: Security Availability Processing Integrity Confidentiality Privacy
Types of Engagements: Readiness Assessment For those who have not yet begun the process of identifying key controls and processes related to financial reporting or who need assistance developing a final control listing to later be used in SOC testing. Type 1 Testing the Design of Controls related to financial reporting. For those with an immediate need of a SOC audit, who are confident in their controls, and are seeking a 'point-in-time' assurance that their controls are suitably designed. Type 2 Testing the Design and Effectiveness of Controls related to financial reporting.	Types of Engagements: Readiness Assessment For those who have not yet begun the process of identifying key controls and processes related to relevant security principles or who need assistance developing a final control listing to later be used in SOC testing Type 1 Testing the Design of Controls related to relevant security principles. For those with an immediate need of a SOC audit, who are confident in their controls, and are seeking a 'point-in-time' assurance that their controls are suitably designed. Type 2 Testing the Design and Effectiveness of Controls related to relevant security principles.

SOC 1

SOC 2

Needed for:

Financial Information Integrity

To provide independent assurance of Internal Control over Financial Reporting (ICFR)

Needed for:

Data Integrity

To provide independent assurance for one or more of the following 5 principles:

Security
Availability
Processing Integrity
Confidentiality
Privacy

Types of Engagements:

Readiness Assessment

For those who have not yet begun the process of identifying key controls and processes related to financial reporting or who need assistance developing a final control listing to later be used in SOC testing.

Type 1

Testing the Design of Controls related to financial reporting. For those with an immediate need of a SOC audit, who are confident in their controls, and are seeking a 'point-in-time' assurance that their controls are suitably designed.

Type 2

Testing the Design and Effectiveness of Controls related to financial reporting.

Types of Engagements:

Readiness Assessment

For those who have not yet begun the process of identifying key controls and processes related to relevant security principles or who need assistance developing a final control listing to later be used in SOC testing

Type 1

Testing the Design of Controls related to relevant security principles. For those with an immediate need of a SOC audit, who are confident in their controls, and are seeking a 'point-in-time' assurance that their controls are suitably designed.

Type 2

Testing the Design and Effectiveness of Controls related to relevant security principles.

If you are a SaaS company, payment processor, or a company servicing financial institutions, a SOC audit can provide a powerful advantage to your business.

Show your prospects and clients that you are a safe and reliable option for your services.

Case Study: SOC Compliance Achieved After Corporate Restructuring

Achieving or Maintaining SOC Compliance Through Major Organizational Changes

ProblemSolutionResultsServices Employed

Problem

A company that had achieved SOC 2 compliance in previous years had since split into two independent entities with differing service offerings and key operational processes.

Both entities must maintain SOC compliance and continue to receive regular SOC audits, but the control processes defined in the previously obtained SOC 2 report were no longer fully applicable to either entity.

The company was not satisfied with services provided by previous auditors and wished to engage a new firm to take over the newly bifurcated SOC projects.

Solution

Briggs & Veselka engaged in preliminary discussions with the management of each entity to gain an understanding of processes and customer needs, after which it was determined that:

the scope of service offerings for the original entity was most appropriately addressed by a SOC 1 engagement; and
the new secondary entity required a SOC 2 audit.

SOC Readiness Review assessments were then performed for each entity, during which previously identified control processes were reviewed and a determination was made as to which entity they were applicable.

In addition, Briggs & Veselka reviewed the overall design of each company’s system of controls and identified any areas where additional control points were required to ensure SOC compliance.

Recommendations for control and process improvements were communicated to management of each entity at the conclusion of the Readiness Review engagements.

Results

The original entity was able to successfully undergo a SOC 1 Type 2 audit in the month following their SOC 1 Readiness Review, and no exceptions were identified in the course of testing.

The SOC 2 Readiness Review for the secondary entity identified necessary control and documentation improvements prior to the entity undergoing a SOC 2 Type 2 audit, and Briggs & Veselka assisted entity management in developing a remediation roadmap with the goal of completing a SOC 2 Type 2 audit within six to eight months.

Both entities were satisfied with the efficient and thorough services provided by Briggs & Veselka and elected to make the firm their long-term partner for future SOC projects.

Services Employed

SOC Readiness Reviews
SOC 1 Type 2 Audit
SOC 2 Type 2 Audit

“We have tried other vendors in the past – all “name-brand” accounting firms – but none of our prior vendors approached the professionalism and efficiency of Briggs & Veselka. Their level of service was truly outstanding. HR&P highly recommends Briggs & Veselka.”

– William Brewster, VP of HR & Legal at HR&P

Related Resources

Sonny Brandtner

James Beeler

System & Organization Controls (SOC) Audit Services