A System and Organization Controls report (SOC 1, 2 or 3 report) is a great way to ensure trust and confidence in your security and financial control posture that is widely recognized around the world. SOC reports follow the guidance from the AICPAs Statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16).
SOC 1 – SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are potentially used in an audit of a user entity’s financial statements.
SOC 2 – SOC 2 reports address controls at a service organization related to the Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
SOC 3 – SOC 3 reports address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted. Anyone may use these reports, and may post them on a website or in other public-facing materials. To allow for this, the SOC 3 report is typically redacted from its SOC 2 counterpart for any proprietary and/or confidential information, enabling it to be publicly available.
How Coalfire can help
Coalfire Controls, LLC, a fully licensed, accredited CPA firm and affiliate of Coalfire Systems, Inc., helps service organizations examine and report on their controls, so that they can respond to and meet the needs of user entities.
Coalfire offers the following services to help service providers with their SOC reporting needs.
Gap Assessments – During a gap assessment, we help service organizations identify and document their controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
Type 1 Reports – Receive a formalized SOC examination and report on the suitability and design of controls as of a point in time. Receiving a Type 1 report denotes that all controls are properly designed and appropriate to meet applicable criteria.
Type 2 Reports – We deliver a formalized SOC examination and report on the suitability, design, and operating effectiveness of controls. A Type 2 report is an assessment over a period (typically at least six months). A Type 2 report differs from a Type 1 report in that it requires Coalfire to sample test several controls (e.g., HR, logical access, and change management) to ensure that the controls in place were operating effectively during the assessment period, thereby increasing our overall level of effort.
Why choose Coalfire for your SOC reporting needs
- Coalfire is the largest independent provider of cyber risk and compliance assessment and advisory services offering advisory and assessment services for the following frameworks:
Coalfire is first and foremost a cyber risk and advisory company. We apply our expertise in cybersecurity and cloud technology to SOC reports to ensure our customers are addressing cyber risk while satisfying vendor management requests.
Our SOC practice has a "cybersecurity-first" mentality. We perform over 150 SOC engagements per year and our SOC SMEs individually perform 30+ SOC assessments per year. Experienced assessors will always lead the on-site assessment.
Our team uses CoalfireOne to ensure projects are consistently managed and that compliance challenges are identified early so they can be addressed quickly and cost-effectively. CoalfireOne is designed for collaboration to ensure our clients are an integral part of the assessment process.
- We have developed a methodology to streamline the SOC assessment process compared to other accounting firms. This includes:
- Experienced senior resources leading engagements who know SOC and understand technology
- Minimizing on-site time
- Quick report delivery
Agreed-upon procedures services
For subject matter outside of SOC, Coalfire can issue a practitioner's report of findings based on agreed-upon procedures from specified parties under SSAE 18 standards.
Coalfire’s objectives in conducting an agreed-upon procedures engagement would be to:
- Apply procedures that are established by the specified parties.
- Issue a written practitioner's report that describes the procedures and findings.
Since agreed-upon procedure engagements can vary greatly, the parties are responsible for drawing their own conclusions on the results of tests to measure effectiveness.
Communication support services
What does the market think of you today? Does it tell the story that you want to be told? Is it told by a cybersecurity expert?
Coalfire is the leading cybersecurity advisor to many organizations, offering trusted insights that help companies reduce risk, simplify compliance, and remain secure. Coalfire specializes in developing key messages that drive go-to-market strategies that reach organizations’ key audiences.
To help reach your target audiences, Coalfire also offers Communication Support Services to supplement your SOC report. Our marketing team can work with you to develop press releases and conduct webinars that provide more depth and coverage for your organization.