System & 组织控制(SOC)审核

随着萨班斯-奥克斯利法案(SOX)的出台, 其他透明度要求, 日益全球化和外包, SSAE 18的使用呈指数级增长. Service organizations that provide key third-party outsourcing services often need to be accountable to the clients that they serve. 这些组织包括索赔处理人员, 应用程序服务提供商, benefits administrators, payroll companies, data centers, and many others.

SOC Reporting

The creation of 系统与组织控制(SOC) audits provide three report options developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, 非财务管制及, with SOC 3, 成为经过认证的可信系统服务组织.

CPAs perform SSAE 18 attestments to provide assurance to the service organization’s customers and their auditors that the organization has certain, 适当和有效的控制措施.

Type I audits 考虑控件在特定时间点上的设计有效性
Type II audits 在特定时期内检查控制的设计和运行效果, 通常是6到12个月.

SOC 1、SOC 2和SOC 3业务解决了当今的环境:

需要更大的国际一致性
解决了云计算、移动和虚拟化等新技术
要求得到更广泛认可和理解的报告选择

We provide SOC audits to clients across the country and maintain appropriate licensure in the states in which we provide attest work. As a result, we have in-depth industry knowledge to help service providers in a variety of industries, 包括医疗保健和索赔处理, financial services, cloud service providers, 以及商业整理和托管提供商.

什么类型的SOC报告最适合您? (SOC 1, SOC 2 or SOC 3)

SOC报告帮助您的企业保留和吸引新客户. Every business that shares critical data with a service provider wants to be sure that the business partner is doing all it can to protect its vital information assets. How do you prove you are?

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
如果你的回答是肯定的，你需要一个 SOC 1.

Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley Act or similar law/regulation?
如果你的回答是肯定的，你需要一个 SOC 1.

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s IT systems?
如果你的回答是肯定的，你需要一个 SOC 2 or 3.

您是否需要将报告提供给非客户?
如果你的回答是肯定的，你需要一个 SOC 3.

Do your customers have the need for and the ability to understand the details of the processing and controls at a service organization, 服务审计员执行的测试和测试结果?
如果你的回答是肯定的，你需要一个 SOC 2. 然而，如果你的回答是否定的，你需要一个 SOC 3.

SOC 1 Audits

SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, 控制目标设计合理，运行有效, 并确定他们用来做出这些断言的标准.

SOC 1检查服务机构与财务报告相关的控制, SOC 2和SOC 3审查安全性, availability, processing integrity, confidentiality, 与AICPA信托服务标准(TSC)保持一致的隐私报告控制.

SOC 1审计执行团队

If you are interested in more information on SOC 1 Audits, please contact Paul and Jacob.

Paul Demastus
Jacob Schuetze

SOC 2报告和SOC 3报告之间有一个关键的区别. That difference is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system and a SOC 3 report can be distributed freely while a SOC 2 is meant for a service organization’s customers.

SOC 2和SOC 3交战

SOC 2 Engagements

SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, attest engagements, of SSAEs (AICPA, professional standards, vol. 1). SOC 2报告类似于SOC 1报告. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests.

View Service Flyer (PDF)

SOC 3 Engagements

SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results). 它还允许服务机构在其网站上使用SOC 3印章. SOC 3报告可以根据一个或多个信任服务标准(安全)发布, availability, processing integrity, confidentiality, and privacy).

SOC 2和SOC 3审计的执行团队

If you are interested in more information on SOC 2 or SOC 3 Audits, please contact Drew and Robyn.

Drew Hendrickson
Robyn Barton

Client Testimonial

你找不到比LBMC更专业的团队了. They are easy to work with, challenge us to be better, and deliver excellent results every time. LBMC has been our partner for many years and has worked alongside us as a trusted advisor in helping with our SOC Audit needs.

高级管治总监, Risk, 以及领先的软件和信息解决方案提供商的合规性

SOC for Cybersecurity

The SOC for Cybersecurity examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. 它可以适用于任何类型的组织，无论其规模或行业如何, 报告用户不一定是当前客户或客户审计员.

SOC for Cybersecurity提供以下功能:

A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
向利益相关者传达网络安全控制有效性的有效方法, boards, committees, customers, 和合作伙伴通过全面的网络安全审计.

与SOC 2报告不同，网络安全报告的SOC解决以下问题:

The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
SOC for Cybersecurity报告是通用报告, 报告的目标通常是由公司管理层决定的. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
在网络安全SOC中，控制矩阵将不包括在报告中.

The LBMC SOC audit team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.

View Service Flyer (PDF)