Keystone Audit, LLC - SOC 2 Audits Phoenix Arizona
Call (602) 935-4501
  • Home
  • About Us
  • SOC Audits Explained
  • Get a Proposal

A SOC Report is an Asset

Cybersecurity has become a top priority for most companies.  A SOC audit provides a third-party review of the effectiveness of cybersecurity measures.  This creates trust and credibility in the eyes of prospects and clients, especially in the business to the business sales environment.  Many companies find that a successful SOC audit shortens their sales cycle and helps gain large enterprise customers.

Simplifying SOC Audits

SOC = System and Organization Controls

What is a SOC 2 Audit?

SOC 2 examinations address controls at a service organization relevant to specific systems that a service organization uses to process its users’ data.  The service organization’s systems examined usually fall within the categories of software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). The SOC 2 report provides users with the information needed to understand the effectiveness of controls at the service organization and how they integrate with controls at the user entity.  In a SOC 2 examination, service organization management engages a CPA in conjunction with technical professionals to examine and report on system controls relevant to security, availability, processing integrity, confidentiality, or privacy as described in the AICPA’s trust services criteria.

There are Two Types of SOC 2 Reports:

  • SOC 2 Type I:  Reports effectiveness of controls at a point in time
  • SOC 2 Type II:  Reports effectiveness of controls over a period of time, usually 6 months

What is a SOC for Cybersecurity Audit?

The SOC for Cybersecurity examination provides users with information to help them understand a company’s management process for handling enterprise-wide cyber risk, regardless of the company’s size or industry.   Licensed CPAs, supported by cybersecurity professionals, examine and report on the cybersecurity risk management programs using the SOC framework, which provides a consistent language for organizations to describe and report their cybersecurity efforts.

SOC 2 vs. SOC for Cybersecurity - Which is right for you?

SOC 2 SOC for Cybersecurity
What Examines your company’s specific application or platform being provided to your clients Holistic examination of your company’s cyber risk management program
Audience Your prospects and clients evaluating security controls of your service (often B2B software and cloud solutions) Decision-makers who may be affected by the condition of your organization’s cyber risk management program (often stakeholders, partners, or customers)
Why Shows prospective clients that they can trust your service/platform to handle their data Guides business decisions with the validation of appropriate security controls for your organization
Users Use with prospects, clients, potential partners only as needed - report contains sensitive information, restrict distribution Report contains opinion about effectiveness of controls and not details results of tests, distribution based on management’s discretion
Report Description Documents that your system’s control description is presented appropriately, controls were suitable and operating effectively. The assertion that your company’s cybersecurity program description is presented appropriately and controls were operating effectively based on control criteria.

Other Types of SOC Audits

SOC 1:
A SOC 1 Report evaluates the controls at a service organization which are relevant to user entities’ internal controls over financial reporting. The SOC1 Report falls under the SSAE 18 guidance.

SOC 3:
A SOC 3 report is based upon the same Trust Service Principles as a SOC 2. However, a SOC 3 report contains only non-sensitive, high-level information so it can be freely distributed.  Rather than describing specific test activities and outcomes as stated in a SOC 2, a SOC 3 report only states whether or not the entity has achieved the Trust Services criteria.

A SOC 3 must be performed as an examination over a period of time (Type II). SOC 3 reports can be issued on one or multiple Trust Services principles (security, integrity, confidentiality, availability, processing, and privacy) and if completed successfully, allow the organization to place a seal on its website.

AICPA badge

Tell us about your audit objectives.

Contact us for a complimentary consultation and proposal for your next SOC audit.

Schedule a meeting

Contact

Keystone Audit, LLC
1500 E Bethany Home Road, Suite 250
Phoenix, AZ 85014
Phone (602) 935-4501 Email info@keystoneaudit.com

Connect

© 2023 Keystone Audit, LLC - SOC 2 Audits Phoenix Arizona Powered by Jottful