Need SOC Reporting Quality, Efficiency and Knowledge?
Get the right SOC report to grow your business with confidence. Aprio’s SOC 2 auditors leverage over 100 years of combined experience and proprietary technology to deliver the highest level of assurance* with less business disruption.
Go with Aprio
IAS Leadership
Powell Jones , CISA, CCSFP
Information Assurance Services | Assurance Partner
Aprio, LLP
Aprio Advisory Group, LLC
Powell.Jones@Aprio.com
(770) 353-3157
Dan Schroeder , CPA, MBA
Partner, Risk Advisory and Assurance Services | Information Assurance
Aprio, LLP
Aprio Advisory Group, LLC
dan.schroeder@aprio.com
(770) 353-8379
Which SOC report do you need?
Increasingly, organizations that outsource critical functions are asking for System and Organization Control (SOC) reports to better understand the service provider’s information systems and processes. The flexibility and complexity of the SOC reporting architecture can create confusion for first time reporters, mature businesses and even larger prospective customers.
Aprio’s Information Assurance team leverages 100+ years of combined experience to clarify your options and make sure you achieve the right reporting to grow your business with confidence. Here’s a quick snapshot of the various types of SOC reports, their purpose, duration, who needs them and their estimated cost. The pricing in the table below is based on the typical SOC scope of work. Cost can vary based on scope or circumstance.
| Report Type | Report Reason |
Length of Report | Common Industries |
Average # of Controls | Type I Cost |
Type II Cost |
|---|---|---|---|---|---|---|
| SOC 1 | Demonstrates how your control environment affects your customer’s financial reporting. This is not over your financial reporting but your customers. |
6-12 months | Managed Services affecting customer financial statements – Payroll, Mortgage Processors, Real Estate Management and Broker/Dealers | 25-40 | Varies – Typically $15K-$25K | Varies – Typically $30K-$40K |
| SOC 2 | Covers data Security, but also can cover Availability, Confidentiality, Processing Integrity and Privacy. | 3-12 Months | SaaS – Technology companies hosting / with access to customer data | 50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) | Varies – Typically $15K- $30K | Varies –Typically $35K -$45K |
| SOC 3 | Short Form SOC 2 Report usually provided if proprietary information from SOC 2. | 3-12 Months | SaaS – Technology companies hosting / with access to customer data | 50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) | Minimal – Usually $2K- $3K over the cost of the SOC 2 Report | Minimal – Usually $3K-$5K over the cost of the SOC 2 Report |
Other attestation options
Agreed Upon Procedures (AUP) – A company will typically work with another company to come up with a set of “agreed upon procedures” that the SOC auditor will perform. These procedures can cover most topics as long as the procedures can be objectively performed by the auditor. An AUP is often used to demonstrate compliance over a scope smaller or different than what might be covered by a particular SOC report.
SOC for Supply Chain – SOC for Supply Chain is the most recent SOC reporting option. This report is designed to provide relevant information to organizations up and down the supply chain and is specifically designed for companies seeking to manage supply chain risks. This report is not limited to service providers and can be adopted by organizations up and down the supply chain.
SOC for Cybersecurity – SOC for Cybersecurity is another reporting option. This SOC report includes a description of your cybersecurity risk management program. This report is not limited to service providers and can be adopted by any organization even to report just internally. SOC for Cybersecurity includes the SOC 2 framework in addition to other more in-depth criteria.
SOC Report Type I vs Type II
Each of these reports have the option of a Type I and a Type II. The Type I report is a point-in-time report. The Type II report covers a period-of-time, and often in the first year, covers a 6-month period moving to a 12-month period in subsequent years. Typically, you do not see SOC 1 Type II reports shorter than 6 months and SOC 2 Type II reports shorter than 3 months in the first year receiving a SOC report. If you are not in a rush, there is usually no reason to get a Type I report other than cost, but most customers expect to see a Type II report.
| Report it applies to | Duration | Example Duration | Cost | |
|---|---|---|---|---|
| Type I | SOC 1, 2 and 3 | Point-in-Time | As of June 30, 20XX | Less cost than a Type II. Only tests the controls at a point-in-time, so less documentation is required. |
| Type II | SOC 1, 2 and 3 | Period-of-Time | For the Period of January 1, 20XX to June 30, 20XX |
More costly than Type I. The auditor tests controls throughout the period which means more samples and documentation required from you. |
SOC audit* readiness assessment
A readiness assessment, or gap assessment, is often performed prior to obtaining your first SOC report. Through facilitated meetings, Aprio will help you identify “what you don’t know.” This includes helping you identify what controls should be in place to meet the SOC reporting requirements and the controls that still need to be put in place to fill “Design Gaps.”
Once completed we give your team a “To Do List” that includes what will be required for the audit, so that your team can effectively prepare the required documentation.
A common second phase of a readiness assessment is the “Test-of-One” where Aprio’s SOC 2 auditors perform testing, as if it was performing an audit, to verify that your team has the correct level of documentation to pass the audit. If not, additional gaps might be identified during the audit, which could leave your team scrambling to try and produce something to pass the audit. The “Test-of-One" helps to take much of the documentation guess work out of the SOC audit.
Aprio’s SOC 2 certification and reporting processes
Our goal is to provide a better SOC 2 audit experience. Aprio has developed standardized processes for both SOC 2 Type I and SOC 2 Type II. These processes are supported by a formal methodology and proprietary technology and designed to deliver efficiency and quality reporting and SOC 2 certification.
SOC 2, Type I Approach
Phase I
Planning
Phase II
Scoping (Design)
Phase III
Testing (Test-of-One)
Phase IV
Issuance of
SOC 2 Type 1 Report
SOC 2, Type II Approach
Phase I
Planning, Scoping and
Design Meeting
Phase II
Perform Observation
Testing
Phase III
Perform Population
Testing
Phase IV
Issue SOC 2,
Type II Report
SOC 2 vs ISO 27001–why not get both?
Having both SOC 2 and ISO 27001is smart because it allows you to address the assurance needs of customers and prospects around the world. If cost and complexity concerns have you asking whether an SOC 2 report or ISO 27001 certification would best fit your needs, Aprio has a solution. Having both SOC 2 and ISO 27001 is smart because it allows you to address the assurance needs of customers and prospects around the world. However, if cost concerns have you asking whether an SOC 2 report or ISO 27001 certification would best suit your needs, Aprio puts both within your reach.
Aprio’s practical “Test Once, Report Many” approach streamlines compliance for clients that must manage multiple certifications. Aprio can significantly reduce the time your team spends collecting evidence for auditors and help you reduce the cost of compliance. As one of the few providers who can offer SOC reporting, ISO 27001certification, HITRUST and PCI DSS compliance, Aprio is the perfect compliance partner for high-growth businesses.
Information Assurance
RESOURCES
Articles
Currently there are no articles for this topic. Please check back soon.