Signed in as:
filler@godaddy.com
Experience System and Organisation Controls ("SOC"), as your solution to hassle-free security management.
Outsource the response and mitigation of cyber-threats to our security specialists to prevent cyber-attacks and data breaches across your infrastructure.
With totally bespoke solutions, we ensure your security and compliance needs are met. Call our experts and receive a consultation today.
For reports that are not specifically focused internal controls over financial reporting, SOC 2 audits are more appropriate. SOC 2 audits and focus on controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy.
Readiness Assessment
Many first time clients first choose to perform a Readiness Assessment prior to undergoing SOC audits. For more information regarding our Readiness Assessment and ongoing managed services, please contact us.
The GRC Audit Difference
Unlike most CPA and professional service firms, we do not view ourselves as a simple third-party vendor who is tasked with helping you seek a means to an end. Rather, our team establishes a very close-knit relationship with your team, becoming a trusted partner to your business. GRC Audit always keeps your goals and priorities at the forefront of our services delivery process.
As your trusted service partner, we are your one-stop shop for all your IT compliance and cyber-security needs. Our tailored compliance solutions and efficient auditing methods allow your company to not only save on audit and compliance costs, but more importantly, reduces your internal level of effort and time your key personnel spend on annual compliance projects. Contact us today to speak to one of our team members and experience the GRC Audit difference.
A SOC 1 addresses internal controls that are relevant to a company’s internal control over financial reporting. By definition, a SOC 1 is designed to review a vendor’s financial and accounting controls. In other words, how well do they keep their books?
Additionally, there are two different types of SOC 1 reports – a SOC 1 Type I and a SOC 2 Type II. The difference? A Type I report audits controls as of a point in time (a single date). A Type II report covers controls that were in place and operating for a period of time. A Type II report is always better than a Type I because it tests control effectiveness over a period of time. A type I report, often times, does not test controls.
Most of the time, the SOC 2 is probably the report you really want. It’s most definitely the report you want from an IT type vendor. Unfortunately, because of the evolution of the old SAS 70 over the years, many folks erroneously believe that a SOC 2 report is the next level up from a SOC 1 and this couldn’t further from the truth. One is apples the other is oranges.
A SOC 2 report is an examination on a service organization's controls over one or more of the following five (5) Trust Services Criteria (TSC):
A SOC 2 is the only audit (and report) that defines a consistent set of criteria specifically around the products/services that a company provides (to you). If you want a measure of how your vendor provides a secure, available, confidential and private solution, there’s only one way to get that assurance: ask for a copy of their independently audited SOC 2 report.
SOC 1 and SOC 2 come in two different versions. A Type I affirms controls are in place. A Type II confirms the controls are in place and are actually working. So, yes, SOC 2 Type II is the best representation of how well a vendor is doing when it comes to managing and safe-guarding your data. However, keep in mind as you review that the controls are created by the vendor and tested by an auditor or CPA firm.
Once again, don’t be fooled into believing that if a SOC 2 Type II is highly valuable that a SOC 3 must be the greatest of all SOC reports. It’s not. From this author’s perspective, I’d much rather have a SOC 2 Type II any day of the week over a SOC 3. While the SOC 3 is likely to have some of the components of a SOC 2, it’s not going to be as comprehensive.
Why? It’s designed to be made available publicly (without the requirement of an NDA) so by nature it’s less detailed/less technical and, therefore, will not contain the same level of otherwise critical information (to you) that a SOC 2 Type II contains. Basically, it’s a high-level summary of a SOC audit that comes with a seal of approval a vendor can post on their website.
A SOC 3 can be used for the initial early upfront due diligence phase of a vendor until you have determined if they are a serious prospect.