SOC 1, SOC 2, and SOC 3 Audits

Many service organizations depend on the integrity of their control environment to serve and protect their customers and business. Such services have been provided to clients in a number of industries, including application service providers, managed services companies, colocation facilities, network service bureaus, financial institutions, data processing centers, bank trust departments, credit unions, collections agencies, benefit plan administrators, third-party administrators, investment managers, hedge fund accounting services, payroll service bureaus, lockbox operations, and document solution providers.

Moss Adams provides high-quality verification of these control environments through SOC examinations. Engagements of this nature report on the effectiveness of the controls and safeguards in place, providing you with feedback that’s both independent and actionable. Our approach to staffing these audits is to combine industry-focused and seasoned auditors with operational and IT auditors capable of addressing your unique control environment requirements.

Related to our SOC service portfolio, we have extensive experience that includes:

  • SOC pre-audit gap analysis and readiness assessments
  • Coordination among management, user entities, and auditors
  • Coaching and review of client-prepared control objectives and narratives
  • Independent assistance to document client-defined control objectives and narratives
  • SOC 1, SOC 2, and SOC 3 examinations (both Type 1 and 2 audits)
  • Dual reporting for clients involved in international markets
  • Aligning SOC 2 and SOC 3 audits to leverage the Cloud Security Alliance Cloud Control Matrix
  • Conversion from 2009 to 2014 Trust Services Principles and the 2017 Trust Services Criteria for SOC 2 and SOC 3 audits
  • Implementation of SSAE No. 18 requirements

In addition, Moss Adams regularly provides thought leadership involving SOC audits. We sit on the AICPA Assurance Services Executive Committee (ASEC); serve on the ASEC Trust/Information Integrity Task Force, which helps update Trust Services Principles and Criteria; and participate in the development of SOC audit guides. We also frequently speak at national conferences on the topic of SOC auditing.

Insights


Guide
More and more companies are outsourcing services. Ideally, a third-party vendor would exert the same level of internal controls you would.

Webcast
Preparing for a SOC audit doesn’t have to be daunting or time consuming. During this webcast we will discuss how to determine which report (SOC 1, 2, or 3) and which type is appropriate for your organization, the nature of the controls to promote, the time commitment to anticipate, who should be involved, and how to assemble the requisite documentation.

Alert
The AICPA’s SSAE No. 18 redrafts standards for SOC examinations and other attestation engagements and replaces SSAE No. 16.

Webcast
Service Organization Control (SOC ) 2 reports always contained the option to include the privacy principle, but due to some gaps in the privacy criteria, this principle was often not used by service organizations. The American Institute of Certified Public Accountants recently updated the privacy principle to address feedback and make it widely accessible for the market. Implementation of the updated privacy criteria is effective December 31, 2016, with early implementation permitted. During this panel-style webcast, we explore what’s changed as well as what your organization needs to do to successfully adopt the new privacy principle.

Primary Contact