ASSURANCE SERVICES

Need SOC Reporting Quality, Efficiency and Knowledge?

Get the right SOC report to grow your business with confidence. Aprio’s SOC 2 auditors leverage over 100 years of combined experience and proprietary technology to deliver the highest level of assurance* with less business disruption.

Go with Aprio

AICPA-SOC

IAS Leadership

Powell Jones , CISA, CCSFP   

Information Assurance Services | Assurance Partner
Aprio, LLP
Aprio Advisory Group, LLC

Powell.Jones@Aprio.com

(770) 353-3157

Dan Schroeder , CPA, MBA   

Partner, Risk Advisory and Assurance Services | Information Assurance
Aprio, LLP
Aprio Advisory Group, LLC

dan.schroeder@aprio.com

(770) 353-8379

Which SOC report do you need?

Increasingly, organizations that outsource critical functions are asking for System and Organization Control (SOC) reports to better understand the service provider’s information systems and processes. The flexibility and complexity of the SOC reporting architecture can create confusion for first time reporters, mature businesses and even larger prospective customers.

Aprio’s Information Assurance team leverages 100+ years of combined experience to clarify your options and make sure you achieve the right reporting to grow your business with confidence. Here’s a quick snapshot of the various types of SOC reports, their purpose, duration, who needs them and their estimated cost. The pricing in the table below is based on the typical SOC scope of work. Cost can vary based on scope or circumstance.

 Report Type Report
Reason 
Length of Report  Common
Industries 
 Average # of Controls Type I
Cost
Type II
Cost 
SOC 1 

Demonstrates how your control environment affects your customer’s financial reporting.

This is not over your financial reporting but your customers.

6-12 months  Managed Services affecting customer financial statements – Payroll, Mortgage Processors, Real Estate Management and Broker/Dealers  25-40   Varies – Typically $15K-$25K Varies – Typically $30K-$40K  
 SOC 2  Covers data Security, but also can cover Availability, Confidentiality, Processing Integrity and Privacy.  3-12 Months SaaS – Technology companies hosting / with access to customer data  50-60 for Security, Availability and Confidentiality (Most Common Trust Categories)  Varies – Typically $15K- $30K  Varies –Typically $35K -$45K 
 SOC 3 Short Form SOC 2 Report usually provided if proprietary information from SOC 2.   3-12 Months  SaaS – Technology companies hosting / with access to customer data  50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) Minimal – Usually $2K- $3K over the cost of the SOC 2 Report   Minimal – Usually $3K-$5K over the cost of the SOC 2 Report

Other attestation options

Agreed Upon Procedures (AUP) – A company will typically work with another company to come up with a set of “agreed upon procedures” that the SOC auditor will perform. These procedures can cover most topics as long as the procedures can be objectively performed by the auditor. An AUP is often used to demonstrate compliance over a scope smaller or different than what might be covered by a particular SOC report.

SOC for Supply Chain – SOC for Supply Chain is the most recent SOC reporting option. This report is designed to provide relevant information to organizations up and down the supply chain and is specifically designed for companies seeking to manage supply chain risks. This report is not limited to service providers and can be adopted by organizations up and down the supply chain.

SOC for Cybersecurity – SOC for Cybersecurity is another reporting option. This SOC report includes a description of your cybersecurity risk management program. This report is not limited to service providers and can be adopted by any organization even to report just internally. SOC for Cybersecurity includes the SOC 2 framework in addition to other more in-depth criteria.

SOC Report Type I vs Type II

Each of these reports have the option of a Type I and a Type II. The Type I report is a point-in-time report. The Type II report covers a period-of-time, and often in the first year, covers a 6-month period moving to a 12-month period in subsequent years. Typically, you do not see SOC 1 Type II reports shorter than 6 months and SOC 2 Type II reports shorter than 3 months in the first year receiving a SOC report. If you are not in a rush, there is usually no reason to get a Type I report other than cost, but most customers expect to see a Type II report.

  Report it applies to Duration Example Duration Cost
Type I SOC 1, 2 and 3 Point-in-Time As of June 30, 20XX Less cost than a Type II. Only tests the controls at a
point-in-time, so less documentation is required.
Type II SOC 1, 2 and 3 Period-of-Time For the Period of January 1, 20XX
to June 30, 20XX 
More costly than Type I. The auditor tests controls throughout the period which means more samples and documentation required from you. 

SOC audit* readiness assessment

A readiness assessment, or gap assessment, is often performed prior to obtaining your first SOC report. Through facilitated meetings, Aprio will help you identify “what you don’t know.” This includes helping you identify what controls should be in place to meet the SOC reporting requirements and the controls that still need to be put in place to fill “Design Gaps.”

Once completed we give your team a “To Do List” that includes what will be required for the audit, so that your team can effectively prepare the required documentation.

A common second phase of a readiness assessment is the “Test-of-One” where Aprio’s SOC 2 auditors perform testing, as if it was performing an audit, to verify that your team has the correct level of documentation to pass the audit. If not, additional gaps might be identified during the audit, which could leave your team scrambling to try and produce something to pass the audit. The “Test-of-One" helps to take much of the documentation guess work out of the SOC audit.

Aprio’s SOC 2 certification and reporting processes

Our goal is to provide a better SOC 2 audit experience. Aprio has developed standardized processes for both SOC 2 Type I and SOC 2 Type II. These processes are supported by a formal methodology and proprietary technology and designed to deliver efficiency and quality reporting and SOC 2 certification.

SOC 2, Type I Approach

Phase I

Planning

Phase II

Scoping (Design)

Phase III

Testing (Test-of-One)

Phase IV

Issuance of
SOC 2 Type 1 Report

SOC 2, Type II Approach

Phase I

Planning, Scoping and
Design Meeting

Phase II

Perform Observation
Testing

Phase III

Perform Population
Testing

Phase IV

Issue SOC 2,
Type II Report

SOC 2 vs ISO 27001–why not get both?

Having both SOC 2 and ISO 27001is smart because it allows you to address the assurance needs of customers and prospects around the world. If cost and complexity concerns have you asking whether an SOC 2 report or ISO 27001 certification would best fit your needs, Aprio has a solution. Having both SOC 2 and ISO 27001 is smart because it allows you to address the assurance needs of customers and prospects around the world. However, if cost concerns have you asking whether an SOC 2 report or ISO 27001 certification would best suit your needs, Aprio puts both within your reach.

Aprio’s practical “Test Once, Report Many” approach streamlines compliance for clients that must manage multiple certifications. Aprio can significantly reduce the time your team spends collecting evidence for auditors and help you reduce the cost of compliance. As one of the few providers who can offer SOC reporting, ISO 27001certification, HITRUST and PCI DSS compliance, Aprio is the perfect compliance partner for high-growth businesses.

Information Assurance

RESOURCES

Articles

Currently there are no articles for this topic. Please check back soon.

Downloadable Material

Get the right SOC report for what’s next

Schedule a Consultation