What is a SOC Report?

Service Organization Controls, or SOC, reports summarize the technical and policy controls that secure a service organization’s information. They are used to determine whether an organization is following best security practices. Some businesses require their vendors to supply a SOC report before they begin working with them.

The American Institute of Certified Public Accountants (AICPA) defines SOC reporting and auditing standards. The AICPA defines three types of SOC reports, with the SOC 2 report being the most popular. This type addresses “Trust Services Criteria,” which focus on controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Many large organizations ask for a SOC 2 report from their vendors because it is a respected standard. The only way to get one is to have a third party audit your controls. The report includes an attestation, which is tied to the reputation of the auditor. Within the SOC 2 report, there are two types:

SOC 2 Type 1 Report

SOC 2 Type 1 reports on the management’s description of their organization’s system and the suitability of the design of its controls.

SOC 2 Type 2 Report

SOC 2 Type 2 is the most popular type of report. It reports on the same as Type 1, plus the effectiveness of the controls.

How Can You Prepare?

If you are not maintaining an existing system of controls that has been audited by a third party, you should plan on having outside assistance to prepare for the audit required to produce a SOC report. It must be a separate party from the auditor themselves. There are firms that specialize in SOC audit readiness assistance. Once controls have been readied for audit and a suitable period has been established with the controls in use, an audit can be conducted, and a report can be issued.

How Much Does it Cost?

Time and expense for a SOC report vary depending on the organization. Including the audit readiness preparation, the passing of an audit period, and the actual audit and report generation, you can expect roughly 18 – 24 months of work and expenses starting at $50,000 to $75,000. This does not include the time and expense of implementing changes to systems during the audit readiness phase.

Can Chortek Help Us Get a SOC Report?

We cannot issue a SOC report directly, nor do we provide SOC auditing services. If we are your outsourced IT provider, it’s important that we remain independent of both the readiness consultant and the auditor. However, we can help you find both an audit readiness consultant and an auditor. We will also help you implement the recommended changes during the readiness phase.

Managed IT Service Sets You Up for SOC Success

Our Managed IT Service team continually updates our recommendations and processes to support SOC readiness. If your organization uses our Managed Network Service or Cyber+ service, many of the continuous improvement processes we provide support the successful completion of a SOC reporting project. Talk to our Managed IT Service team to learn more!

What is a SOC Report?

SOC 2 Type 1 Report

SOC 2 Type 2 Report

How Can You Prepare?

How Much Does it Cost?

Can Chortek Help Us Get a SOC Report?

Managed IT Service Sets You Up for SOC Success

Like This Article? Share With Your Networks.

Related Posts

5 Problems Businesses Have Managing IT Services In-House

The 7 Biggest Risks for Businesses Without Managed IT Services

10 Disaster Planning Essentials For A Small Business Network