Our Services


A SOC examination is critical if your organization provides a product or service that collects, processes, transmits, or stores non-public personal information.  Several types of SOC examinations exist with different objectives.  Learn how SOC2 Services can guide your organization through the process.

Contact Us

A SOC examination is governed by the American Institute of Certified Public Accountants (AICPA) and assures customers and regulators that your organization has properly designed controls that are operating effectively to achieve specific requirements.  Many organizations that outsource critical products and services require a SOC examination.

  • Is your organization being asked for a SOC examination and is it ready?
  • Does your organization understand the differences between SOC 1, 2, and 3 examinations and types?
  • Can your organization define the “system” that is being described and reported on?
  • Is your organization unsure of what trust services criteria should be included in the scope of your SOC 2 examination?

We are proud to have helped numerous organizations achieve SOC certification for the first time. Our approach focuses on the delivery of a quality examination and report that is aligned with AICPA Standards and our Quality Control Program. Upon completion of a SOC examination, your organization will receive a formal report that includes the SOC certification seal.

SOC2 Readiness & Examinations

Let us help you prepare for your organization’s SOC 2 examination. If your organization has not been previously certified, a SOC 2 Readiness Assessment will identify any gaps in your organization’s internal control framework in comparison to SOC 2 trust services criteria requirements. We provide both Type I and II examinations that provide an opinion on whether controls are designed and operating effectively.

Your Title Goes Here

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Learn More About SOC 2 Readiness

 

Based on your organization’s scope, SOC2 Services can help your organization prepare or “ready” itself prior to the actual examination. Our guidance is based on ACIPA requirements as well as best practice and industry-specific regulatory requirements. We also offer unique insight into your customer  requirements gained through our professional experience and in-depth knowledge of vendor risk management process.

If you have not been previously certified,  a SOC 2 Readiness Assessment will identify gaps in your internal control framework in comparison to SOC 2 trust services criteria requirements. Our approach includes the following:

  • We evaluate and map your policies, procedures, and supporting documentation to SOC 2 trust services criteria
  • We identify gaps between your documentation and trust service criteria requirements and provide detailed recommendations
  • We communicate gaps and detailed recommendations in a formal SOC 2 Readiness Assessment Report

SOC2 Services can also guide your organization by helping you understand the key criteria impacting the scope and associated cost of your examination. These criteria include:

  • The definition of the “system”
  • The selection of appropriate trust service criteria based on your industry, regulatory requirements, and the products and services your organization provides
  • How to address vendors used to support products or services that are a part of the “system”
  • The selection of a service period
  • What differentiates a “good” versus “bad” report
Learn More About the SOC 2 Examination

 

A SOC 2 examination can be performed as a Type I or Type II examination. In both instances, an opinion is provided on the controls designed in your organization’s system.  Your system  must meet the requirements of one or more trust services criteria. The trust services criteria include Security, Availability, Confidentiality, Processing Integrity, and Privacy. Trust services criteria are selected by your organization  and are based on the products or services provided and the industry in which your organization’s operate.

  • Security – where the system is protected against unauthorized access, use, or modification (both physical and logical)
  • Availability – where the system is available for operation and use as committed or agreed
  • Processing integrity – where the system processing is complete, valid, accurate, timely, and authorized
  • Confidentiality – where Information designated as confidential is protected as committed or agreed
  • Privacy – where personal information (identifiable to an individual) is collected, used, retained, disclosed, and disposed of

SOC 2, Type I Examination

A Type I examination provides an opinion on whether the description of the system fairly represents the design of the controls in place to meet service commitments and system requirements for the selected trust services criteria. A SOC 2 Type I examination is performed at a point in time. The distribution of a SOC 2, Type I report is restricted.

SOC 2, Type II Examination

A Type II examination provides an opinion on whether the description of the system is fairly represented and whether the controls designed are operating effectively to meet service commitments and system requirements for the selected trust services criteria. A SOC 2 Type II examination is performed over a period of time called a service period. The distribution of a SOC 2, Type II report is restricted.

SOC2Plus+ Examinations

Let us perform your organization’s SOC 2 Plus+ examination. A SOC 2 Plus+ examination includes the assessment of additional requirements defined in other compliance frameworks.

Your Title Goes Here

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Learn more about the SOC 2 Plus+ Examination

 

A SOC 2 Plus+ examination can either be a Type I or Type II and also includes the assessment of additional requirements defined in other compliance frameworks.  This criterion may be defined by NIST’s Cybersecurity Framework, HIPAA/HITECH, the Cloud Security Alliance’s Cloud Control Matrix (CCM), ISO: 27001, or the General Data Protection Regulation (GDPR) regulation to name a few.

A Type I examination provides an opinion on whether the description of the system fairly represents the design of the controls in place to meet service commitments and system requirements for the selected trust services criteria and additional compliance framework requirements. A SOC 2 Plus+ Type I examination is performed at a point in time. The distribution of a SOC 2 Plus+ Type I report is restricted.

SOC 2 Plus+, Type II Examination

A Type II examination provides an opinion on whether the description of the system is fairly represented and whether the controls designed are operating effectively to meet service commitments and system requirements for the selected trust services criteria and additional compliance framework requirements. A SOC 2 Plus+ Type II examination is performed over a period of time called a service period. The distribution of a SOC 2 Plus+ Type II report is restricted.

SOC for Cybersecurity

Let us perform your organization’s SOC for Cybersecurity examination. A SOC for Cybersecurity examination provides an opinion on the design and operating effectiveness of controls within a Cybersecurity Risk Management Program.

Your Title Goes Here

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Learn more about SOC for Cybersecurity

 

A SOC for Cybersecurity examination provides an opinion on the design and operating effectiveness of controls within a Cybersecurity Risk Management Program. This Program is defined as the policies, procedures, and controls designed to protect information and systems from security events through the execution of timely detection, response, mitigation, and recovery activities. Similar to a SOC 2 examination, a Type I or Type II can be performed and can include one or more trust service criteria. Organizations can also use numerous frameworks to develop their Cybersecurity Risk Management Program.

The AICPA’s guide on Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (the cybersecurity guide) is used in performing a SOC for Cybersecurity examination. The AICPA defines a Cybersecurity Risk Management Program as the “policies, procedures, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives; and to detect, respond, mitigate, and recover from security events that are not prevented in a timely manner” (AICPA). Description criteria for a SOC Cybersecurity examination is categorized into nine sections:

  1. Nature of business and operations
  2. Nature of Information at risk
  3. Cybersecurity Risk Management Program objectives
  4. Factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the Cybersecurity Risk Management Program
  9. Cybersecurity control processes

SOC for Cybersecurity, Type I Examination

A Type I examination provides an opinion on whether the description of the Cybersecurity Risk Management Program system fairly represents the design of the controls in place to meet service commitments and system requirements for a Cybersecurity Risk Management Program. A SOC for Cybersecurity Type I examination is performed at a point in time. The distribution of a SOC for Cybersecurity, Type I report is restricted.

SOC 2, Type II Examination

A Type II examination provides an opinion on whether the description of the Cybersecurity Risk Management Program is fairly represented and whether the controls designed are operating effectively to meet service commitments and system requirements for the Cybersecurity Risk Management Program. A SOC for Cybersecurity Type II examination is performed over a period of time called a service period. The distribution of a SOC for Cybersecurity, Type II report is restricted.

Contact Us

Contact us today to discuss how SOC2Services can assist your company reach its goals.

Contact Us