-resize.png?token=f0f53e6b7e50e113e66565a89069d84a)
-resize.jpeg?token=212a5cb1986ea23fe352b99a4792e79b)
Cybersecurity has become a top priority for most companies. A SOC audit provides a third-party review of the effectiveness of cybersecurity measures. This creates trust and credibility in the eyes of prospects and clients, especially in the business to the business sales environment. Many companies find that a successful SOC audit shortens their sales cycle and helps gain large enterprise customers.
-resize.jpeg?token=7447add535993568bff0a0afbf0a0e8e)
What is a SOC 2 Audit?
SOC 2 examinations address controls at a service organization relevant to specific systems that a service organization uses to process its users’ data. The service organization’s systems examined usually fall within the categories of software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). The SOC 2 report provides users with the information needed to understand the effectiveness of controls at the service organization and how they integrate with controls at the user entity. In a SOC 2 examination, service organization management engages a CPA in conjunction with technical professionals to examine and report on system controls relevant to security, availability, processing integrity, confidentiality, or privacy as described in the AICPA’s trust services criteria.
There are Two Types of SOC 2 Reports:
What is a SOC for Cybersecurity Audit?
The SOC for Cybersecurity examination provides users with information to help them understand a company’s management process for handling enterprise-wide cyber risk, regardless of the company’s size or industry. Licensed CPAs, supported by cybersecurity professionals, examine and report on the cybersecurity risk management programs using the SOC framework, which provides a consistent language for organizations to describe and report their cybersecurity efforts.
| SOC 2 | SOC for Cybersecurity | |
| What | Examines your company’s specific application or platform being provided to your clients | Holistic examination of your company’s cyber risk management program |
| Audience | Your prospects and clients evaluating security controls of your service (often B2B software and cloud solutions) | Decision-makers who may be affected by the condition of your organization’s cyber risk management program (often stakeholders, partners, or customers) |
| Why | Shows prospective clients that they can trust your service/platform to handle their data | Guides business decisions with the validation of appropriate security controls for your organization |
| Users | Use with prospects, clients, potential partners only as needed - report contains sensitive information, restrict distribution | Report contains opinion about effectiveness of controls and not details results of tests, distribution based on management's discretion |
| Report Description | Documents that your system's control description is presented appropriately, controls were suitable and operating effectively. | The assertion that your company’s cybersecurity program description is presented appropriately and controls were operating effectively based on control criteria. |
-resize.jpeg?token=6a50c9837b25c7c190c5ca57198868d4)
SOC 1:
A SOC 1 Report evaluates the controls at a service organization which are relevant to user entities’ internal controls over financial reporting. The SOC1 Report falls under the SSAE 18 guidance.
SOC 3:
A SOC 3 report is based upon the same Trust Service Principles as a SOC 2. However, a SOC 3 report contains only non-sensitive, high-level information so it can be freely distributed. Rather than describing specific test activities and outcomes as stated in a SOC 2, a SOC 3 report only states whether or not the entity has achieved the Trust Services criteria.
A SOC 3 must be performed as an examination over a period of time (Type II). SOC 3 reports can be issued on one or multiple Trust Services principles (security, integrity, confidentiality, availability, processing, and privacy) and if completed successfully, allow the organization to place a seal on its website.
-resize.jpeg?token=0e7636335f768dab32dd277d2c8c5d47)