WHITE PAPER |
Authored by RSM US LLP
The AICPA developed several SOC reports to reflect a company’s control environment, but organizations must know how to make the best choice.
Organizations currently have a variety of third-party reporting options, raising key questions about the most effective means to convey the control environment in place to users. The American Institute of CPAs has designed multiple system and organization control (SOC) reports to communicate those controls, but organizations must understand which report can help users best assess the risks of outsourcing providers.
For example, SOC 1 reports focus on internal controls over financial reporting, with Type 1 reports assessing the design and implementation of controls as of a point in time and Type 2 reports assessing the design and implementation as well as the operating effectiveness of controls over a period of time. However, a SOC 2 or SOC 3 report may be more appropriate for users who are more interested in security, availability, processing integrity or privacy.
In addition, as cybersecurity risks expand and evolve, the AICPA has developed a SOC cybersecurity reporting framework to help users gain a stronger understanding of an organization’s cybersecurity risk management approach.
Read our white paper to learn more about the components of the service organization system, as well as the objectives and differences between each SOC reporting option. In addition, we provide additional detail into SOC 2 and 3 options, with insight into the specific trust service categories (availability, confidentiality, processing integrity and privacy) that companies can provide detail into beyond security, which is a required category.
While SOC reporting may seem like a complex initiative for service organizations, understanding the differences between the reports and preparing for an attestation upfront can greatly streamline the process.
This article was written by David Wood, Matt Gill and originally appeared on 2021-10-04.
2021 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
LaPorte is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how LaPorte can assist you, please call 713.548.2034.