Adding Value to
Service Organizations and User Entities
Service organizations that provide information system services or process transactions on behalf of another party (the “user entity”) increasingly require SOC reports to do business.
SOC reports were initially requested primarily to satisfy financial statement audit requirements, but are now required to support regulatory compliance, address third party risk management, understand the status of cybersecurity controls and to satisfy stakeholders’ demand for transparency.
Service organizations benefit from SOC examination by
+ Alleviating the need for multiple requests for audits;
+ Limiting time spent responding to vendor questionnaires;
+ Building trust and confidence with user entities;
+ Analyzing the efficiency and effectiveness of their control processes, and
+ Differentiating from their peers.
Types of
SOC Reports
The various forms of SOC report are designed to support your specific business goals and user needs.
SOC 1
SOC 1 reports look at internal controls over financial reporting and are restricted-use reports. We offer both SOC 1 Type 1 and Type 2 services.
Type 1– report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
SOC 2
While generally a restricted report, SOC 2 (both Type 1 and Type 2) evaluate system reliability controls related to compliance or operations.
SOC 2 Plus
A SOC 2+ takes into consideration additional subject matter in order to assess SOC 2 compliance and simultaneously compliance with other privacy regulations and standards.
SOC 3
The SOC 3 is a trust service report, and is available for general use, with a public seal. It assesses system reliability controls related to compliance or operations.
Cybersecurity SOC
The Cybersecurity SOC is also appropriate for general use, and the process involves looking at the entity’s cybersecurity risk management program. Type 1 and 2 are offered.
Trust Services
Principles + Criteria
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are used to evaluate the controls within an entity's cyber risk management program, or for SOC 2® and SOC 3® engagements.
01
Security –
The system is protected against unauthorized access
02
Availability –
The system is available for operation and use as committed or agreed
03
Process Integrity –
System processing is complete, accurate, timely, and authorized
04
Confidentiality –
Information designated as confidential is protected as committed or agreed
05
Privacy –
Personal information obtained as a result of ecommerce is collected, used, disclosed, and retained as committed or agreed
SOC Report
Engagement Process
Pre-Assessment
In this phase, we confirm scope and objectives. For new clients, we will spend time taking a deeper dive into understanding your systems and operations. For existing clients, we will evaluate any significant changes (e.g., addition of a Trust Services Principal, new system, change in third party service provider, etc.)
Planning
Once we have confirmed the scope, we create a more detailed timeline, share our client assistance requirements, and communicate our plan to our client.
Fieldwork
Our fieldwork is performed through both interim and period-end testing. With our deep industry knowledge and planning leading up to fieldwork, we limit the impact of our work on your personnel.
Wrap-Up and Reporting
Once our fieldwork has concluded, we prepare the Management Rep Letter, go through our Quality Review process, issue your final report, and hold a closing meeting.
Hot Topics
Know What’s Happening
Focused
Experience
We proudly add value to our clients by specializing in providing these services to your industry, working with various entities similar in operations, size, or areas of opportunity.
Insurance
Insurance entities face regulations as well as IT and business risks. In such an environment, independent verification of your operational processes and security procedures is no longer nice to have, but a requirement to do business. The Johnson Lambert team works with insurance entities day-in and day-out, and this experience along with our integrated team of financial/operational and IT auditors’ credentials and training translate to a streamlined approach focused on the right areas for your organization.
Nonprofit
If part of your nonprofit’s or related entity’s services or offerings include software as a service, access to sensitive data, a SOC report may benefit your organization in better illustrating the strength of your internal controls. Johnson Lambert has a team of both IT and financial/operational auditors who bring together their skills, credentials, and commitment to continuous learning with extensive experience in the nonprofit space.