A Service Organization Control report (SOC 1, 2 or 3 report) is a great way to ensure trust and confidence in your security and financial control posture that is widely recognized around the world. SOC 1 reports follow the guidance from the AICPAs Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and SOC 2 reports follow AT Section 101, both of which will soon transition to SSAE 18.
SOC 1 – SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are potentially used in an audit of a user entity’s financial statements.
SOC 2 – SOC 2 reports address controls at a service organization related to the Trust Service Principles (TSPs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
SOC 3 – SOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted. Anyone may use these reports, and they may be posted on a website under a seal. To allow for this, the SOC 3 report is typically redacted from its SOC 2 counterpart for any proprietary and/or confidential information, enabling it to be publicly available.
How Coalfire Can Help
Coalfire Controls, LLC, a fully-licensed and accredited CPA firm and subsidiary of Coalfire Systems, Inc., helps service organizations examine and report on their controls, so that they can respond to and meet the needs of user entities.
Coalfire offers the following services to help service providers with their SOC reporting needs.
Gap Assessments – During a gap assessment, we help service organizations identify and document their controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
Type 1 Reports – Receive a formalized SOC assessment and report on the suitability and design of controls as of a point in time. Receiving a Type 1 report denotes that all controls are properly designed and implemented. Additionally, the Type 1 report can be distributed to customers.
Type 2 Reports – We deliver a formalized SOC assessment and report on the suitability, design, and operating effectiveness of controls. A Type 2 report is an assessment over a period (typically at least six-months). A Type 2 report differs from a Type 1 report in that it requires Coalfire to sample test several controls (e.g. HR, logical access, and change management) to ensure that the controls in place were operating effectively during the assessment period, thereby increasing our overall level of effort.
Why Choose Coalfire for your SOC Reporting Needs
- Coalfire is the largest independent provider of cyber risk and compliance assessment and advisory services offering advisory and assessment services for the following frameworks:
Coalfire is first and foremost a cyber risk and advisory company. We apply our expertise in cybersecurity and cloud technology to SOC reports to ensure our customers are addressing cyber risk while satisfying vendor management requests.
Our dedicated SOC practice is a CPA firm with a cybersecurity-first mentality. Our SOC practice performs over 100 SOC engagements per year and our SOC SMEs individually perform 30+ SOC assessments per year. Experienced assessors will always lead the on-site assessment.
- We have developed a methodology to streamline the SOC assessment process compared to other accounting firms. This includes:
- Experienced senior resources leading engagements who know SOC and understand technology
- Minimizing on-site time
- Quick report delivery