Home

Quick Links

Legal & Sitemap

navigation
Home > Services > Audit > SOC Audits

SOC Audits

SOC Audit

Armanino’s dedicated service organization control (SOC) practice is based on a methodology designed to ensure your SOC audits are extremely efficient, while adding value.

Our Approach

Companies in a wide range of industries—from credit card processing to SaaS—face growing market pressure to prove the quality of their controls. Our service organization control (SOC) assurance services help our clients demonstrate a strong control environment to their customers. 

The word “audit” is too often associated with risk, expense and a significant time commitment from CFOs and finance teams who need to stay focused on driving their business forward. That is why Armanino has invested in a dedicated SOC practice based on methodology designed to ensure your SOC audits are extremely efficient, while adding value.

Our dedicated SOC team provides you with deep expertise and experience—whether you’re a Fortune 1000 company, a newly minted start-up or somewhere in-between. You’ll receive an efficient audit that adheres to our core principles:

  • Transparency: Our customized audit plans provide you with the required assurance over your control environment, while effectively managing your risk through frequent transparent communication.
  • Efficiency: We leverage our many years of SOC experience so you can reduce your internal and external audit costs.
  • Reliability: Our focus on quality and proactive adoption of new audit requirements ensures that your audit report addresses the needs of your clients and their auditors.

Our Services

The standard for outsourced processes includes three separate types of SOC reports that address assurance for service organizations. For each type of report, there is an accepted professional standard under which the audit will be performed. This allows for a common nomenclature when referring to reports going forward while allowing for a more frequent update of the professional standards:

  • SOC 1 Report: This reports on the controls at a service organization relevant to a user entity's internal control over financial reporting. This report is typically used by the service organization’s customers to satisfy Sarbanes-Oxley compliance requirements. This report is performed under the Auditing Standards Board’s Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.
  • SOC 2 Report: This reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This report is typically used by the service organization’s customers to gain comfort over selected operational controls tested at the service organization. This engagement is performed under the AT 101, Attest Engagements standards.
  • SOC 3 Report: This is a Trust Services Report which essentially covers the same subject matter as SOC 2, but the report does not include the same level of detail as the SOC 2. This report enables the service organization to publish a seal on their website indicating their compliance. This engagement is performed under the AT 101, Attest Engagements standard.

FAQ

Our approach is designed to ensure your SOC reports are seen as a value-add to your business. Part of that value is ensuring you have answers to some of the frequently asked questions related to SOC reports and SOC readiness.

What are the different types of SOC reports?

See the “Our Services” Tab above.

What are the differences between a Type-1 and Type-2 report?

Type-1 reports describe the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives and does not include any testing of the operating effectiveness of those controls. The report includes the service auditor’s opinion, management’s assertion and the description of the system.

Type-2 reports focus on both the design and operating effectiveness of controls over a period of time of at least six months. The report includes all of the information in a Type-1 report with the addition of the auditor’s testing of the operating effectiveness of those controls. From an auditor’s perspective, only the Type-2 report provides assurance over a service organization’s controls relative to its client’s financial transactions.

What are the key differences between the different types of SOC reports?

Applicable Standard


Scope

Report Distribution


Report Content

SOC1

SSAE16

Controls relevant to user entities financial statements (general IT controls and applicable financial controls)

Restricted use report

  • Description of service organization’s system
  • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
  • A type 2 report includes a description of the CPA’s tests of controls and results

SOC2

AT101

Controls related to security, availability, processing integrity, confidentiality or privacy

Generally a restricted use report

  • Description of service organization’s system
  • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
  • A type 2 report includes a description of the CPA’s tests of controls and results

SOC3

AT101

Controls related to security, availability, processing integrity, confidentiality or privacy

General use report (with a public seal)

  • An unaudited system description used to delineate the boundaries of the system
  • CPA’s opinion on if the entity maintained effective controls over its system
What is a SOC readiness assessment?

A SOC readiness assessment is intended to assist service organizations in determining preparedness for a SOC 1, 2 or 3 audit. It is important to identify any weaknesses that may exist in the control environment in advance of any audit and a readiness assessment will provide time to remediate issues before the audit period. A readiness assessment is a detailed analysis of the current control environment to determine which controls are in place to meet the SOC audit objectives. Through this process, a report of findings and recommendations is generated to assist service organizations in ensuring that the SOC audit process runs as smoothly as possible.

How frequently do service organizations need to undergo a SOC audit?

Generally, service organization’s customers will want a completed SOC audit report at least on an annual basis. It is recommended that service organizations choose a period-end that will allow for a SOC audit to be completed in advance of the majority of their customer’s year-ends. Some clients decide to have a report completed more frequently than annually to coincide with their multiple customers' financial reporting year-end. 

What are some of the benefits for undergoing a SOC audit?
  • Demonstrate a strong control environment to your existing and potential future customers
  • Gain a competitive advantage when seeking to attract new customers
  • Avoid the expense and challenges of responding to multiple audit requests from your customers
  • Identify redundant or ineffective internal controls that could increase cost or risk to your business
  • Support your customers in meeting their regulatory requirements in a proactive manner

Experts

Resources

9 Steps to Mitigate Your Nonprofit’s Digital Risks

In the minds of many nonprofit leaders, data breaches are the plague of Fortune 500 companies—or at least the Fortune 500s of the nonprofit world. Yet sixe is no predictor.

Vendor SOC Audits Are Critical for Hybrid Cloud Users

As companies move to the hybrid cloud, they must make sure their cloud vendors are following secure procedures for the services they provide.

FASB Delays Landmark Revenue Recognition Standard

On July 9, 2015, the FASB officially deferred implementation of the landmark global revenue recognition accounting standard by one year; IASB followed suit on Jul ...

Leveraging SOC Reporting to Build Customer Confidence

SOC compliance requires time and effort, but it also provides an opportunity for service organizations to differentiate themselves in their marketplace.

3 Steps to Help Mitigate Digital Risk

Cyber attacks happen across all industries, to companies of all sizes. CFOs need to build and maintain an effective cybersecurity strategy to mitigate digital ris ...

co1535-industry-feature

Recent FASB guidance simplifies the way private companies account for some intangible assets in a business combination.

FASB Issues ASU on Pushdown Accounting

On November 18, FASB issued Accounting Standards Update (ASU) 2014-17, giving an acquired entity the option to apply pushdown accounting when there is a change-of-control event.

Internal Controls: Make Your List and Check It Twice

Nonprofits that don’t exercise constant vigilance in adhering to internal controls open the door for fraud.

Internal Controls Fight Technology-Related Fraud for Nonprofits

The ability to accept and make online payments and maintain databases with detailed profiles of constituents offers obvious benefits to nonprofits, but it may also be subject to fraud attempts that can dodge your traditi ...

Changes to the SAS 70 Landscape

The American Institute of CPAs (AICPA) recently issued the new controls auditing standards that build on and replace the almost twenty-year-old SAS 70 standards and will affect reports issued after June 15, 2011.

Five Keys to Success for Your SAS 70 Project

A SAS 70 project requires careful planning, execution and communication between the company and the SAS 70 consultant. Since another company’s auditors will be relying on the SAS 70 report generated, getting it ...

Events

Webinar 03/24

3 Key Lessons from a Start-Up CFO

In an open dialogue, we will draw on real-life examples and candidly address topics that keep CEOs up at night.

...
Webinar 03/28

Approaches to Responsible Investment

Responsible investing has been gaining traction in the United States in recent years.

As awareness around res ...

04/23

Geraci's 2017 Activate Conference

Armanino is pleased to announce that we are a Bronze Sponsor for Geraci’s 2017 Activate Conference, the premier ...