System and Organization Controls (SOC) Reporting
Gain the customer trust you need to grow your business with SOC reporting from Aprio
SOC 1, SOC 2 and SOC 3 examinations and other attestation-related services leverage the high audit standards of the AICPA to provide trust and confidence in your business. Partner with Aprio to get the right SOC reporting for what’s next.
Brett Williams
CPA, CCSFP, CHQP, LA ISO/IEC 27001
National Partner, Information Assurance Services Leader,
SOC Reporting Leader
IAS Leadership
Powell Jones , CISA, CCSFP
Information Assurance Services | Assurance Partner, Aprio LLP
Powell.Jones@Aprio.com
(770) 353-3157
Dan Schroeder , CPA, CISA, CRISC, CIPP/IT, PCI-QSA
Information Assurance Services Leader | Assurance Partner, Aprio LLP
dan.schroeder@aprio.com
(770) 353-8379
SOC reporting at a glance
Increasingly, organizations that outsource critical functions are asking for System and Organization Control (SOC) reports to better understand the service provider’s information systems and processes. The flexibility and complexity of the SOC reporting architecture can create confusion for first time reporters, mature businesses and even larger prospective customers.
Aprio’s Information Assurance team leverages 100+ years of combined experience to clarify your options and make sure you achieve the right reporting to grow your business with confidence. Here’s a quick snapshot of the various types of SOC reports, their purpose, duration, who needs them and their estimated cost. The pricing in the table below is based on the typical SOC scope of work. Cost can vary based on scope or circumstance.
| Report Type | Report Reason |
Length of Report | Common Industries |
Average # of Controls | Type I Cost |
Type II Cost |
|---|---|---|---|---|---|---|
| SOC 1 | Demonstrates how your control environment affects your customer’s financial reporting. This is not over your financial reporting but your customers. |
6-12 months | Managed Services affecting customer financial statements – Payroll, Mortgage Processors, Real Estate Management and Broker/Dealers | 25-40 | Varies – Typically $15K-$25K | Varies – Typically $30K-$40K |
| SOC 2 | Covers data Security, but also can cover Availability, Confidentiality, Processing Integrity and Privacy. | 3-12 Months | SaaS – Technology companies hosting / with access to customer data | 50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) | Varies – Typically $15K- $30K | Varies –Typically $35K -$45K |
| SOC 3 | Short Form SOC 2 Report usually provided if proprietary information from SOC 2. | 3-12 Months | SaaS – Technology companies hosting / with access to customer data | 50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) | Minimal – Usually $2K- $3K over the cost of the SOC 2 Report | Minimal – Usually $3K-$5K over the cost of the SOC 2 Report |
Other attestation options
Agreed Upon Procedures (AUP) –A company will typically work with another company to come up with a set of “agreed upon procedures” that the auditor will perform. These procedures can cover most topics as long as the procedures can be objectively performed by the auditor. An AUP is often used to demonstrate compliance over a scope smaller or different than what might be covered by a particular SOC report.
SOC for Supply Chain – SOC for Supply Chain is the most recent SOC reporting option. This report is designed to provide relevant information to organizations up and down the supply chain and is specifically designed for companies seeking to manage supply chain risks. This report is not limited to service providers and can be adopted by organizations up and down the supply chain.
SOC for Cybersecurity – SOC for Cybersecurity is another SOC reporting option. This report includes a description of your cybersecurity risk management program. This report is not limited to service providers and can be adopted by any organization even to report just internally. SOC for Cybersecurity includes the SOC 2 framework in addition to other more in-depth criteria.
Type I vs Type II
Each of these reports have the option of a Type I and a Type II. The Type I report is a point-in-time report. The Type II report covers a period-of-time, and often in the first year, covers a 6-month period moving to a 12-month period in subsequent years. Typically, you do not see SOC 1 Type II reports shorter than 6 months and SOC 2 Type II reports shorter than 3 months in the first year receiving a SOC report. If you are not in a rush, there is usually no reason to get a Type I report other than cost, but most customers expect to see a Type II report.
| Report it applies to | Duration | Example Duration | Cost | |
|---|---|---|---|---|
| Type I | SOC 1, 2 and 3 | Point-in-Time | As of June 30, 20XX | Less cost than a Type II. Only tests the controls at a point-in-time, so less documentation is required. |
| Type II | SOC 1, 2 and 3 | Period-of-Time | For the Period of January 1, 20XX to June 30, 20XX |
More costly than Type I. The auditor tests controls throughout the period which means more samples and documentation required from you. |
Readiness assessment
A readiness assessment, or gap assessment, is often performed prior to obtaining your first SOC report. Through facilitated meetings, Aprio will help you identify “what you don’t know.” This includes helping you identify what controls should be in place to meet the SOC reporting requirements and the controls that still need to be put in place to fill “Design Gaps.”
Once completed we give your team a “To Do List” that includes what will be required for the audit, so that your team can effectively prepare the required documentation.
A common second phase of a readiness assessment is the “Test-of-One” where Aprio performs testing, as if it was performing an audit, to verify that your team has the correct level of documentation to pass the audit. If not, additional gaps might be identified during the audit, which could leave your team scrambling to try and produce something to pass the audit. The “Test-of-One" helps to take much of the documentation guess work out of the SOC audit.
Aprio’s SOC reporting processes
Aprio has developed standardized processes for both SOC 2 Type I and SOC 2 Type II. These processes are supported by a formal methodology and proprietary technology and designed to deliver efficiency and quality reporting.
SOC 2, Type I Approach
Phase I
Planning
Phase II
Scoping (Design)
Phase III
Testing (Test-of-One)
Phase IV
Issuance of
SOC 2 Type 1 Report
SOC 2, Type II Approach
Phase I
Planning, Scoping and
Design Meeting
Phase II
Perform Observation
Testing
Phase III
Perform Population
Testing
Phase IV
Issue SOC 2,
Type II Report
Information Assurance
RESOURCES
Articles
Currently there are no articles for this topic. Please check back soon.