Risk Assurance & Advisory

SOC Audit & SOC Compliance

Armanino has extensive experience with Type 1 and Type 2 SOC reports in order to fulfill all your SOC Audit and SOC Compliance needs.
SOC Audit Phases

Our Approach

Efficient, Value Adding Service

Companies in a wide range of industries—from credit card processing to SaaS—face growing market pressure to prove the quality of their controls. Our System and Organization Controls (SOC) assurance services help our clients demonstrate a strong control environment to their customers.

The word “audit” is too often associated with risk, expense and a significant time commitment from CFOs and finance teams who need to stay focused on driving their business forward. That is why Armanino has invested in a dedicated SOC practice based on methodology designed to ensure your SOC audits are extremely efficient, while adding value.

Our dedicated SOC team provides you with deep expertise and experience—whether you’re a Fortune 1000 company, a newly minted start-up or somewhere in-between. You’ll receive an efficient audit that adheres to our core principles:

  • Transparency: Our customized audit plans provide you with the required assurance over your control environment, while effectively managing your risk through frequent transparent communication.
  • Efficiency: We leverage our many years of SOC experience so you can reduce your internal and external audit costs.
  • Reliability: Our focus on quality and proactive adoption of new audit requirements ensures that your audit report addresses the needs of your clients, their auditors and specific SOC compliance requirements.

SOC 1 Report

This reports on the controls at a service organization relevant to a user entity's internal control over financial reporting. This report is typically used by the service organization’s customers to satisfy Sarbanes-Oxley compliance requirements. This report is performed under the Auditing Standards Board’s Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.

SOC 2 Report

This reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This report is typically used by the service organization’s customers to gain comfort over selected operational controls tested at the service organization. This engagement is performed under the AT 101, Attest Engagements standards.

SOC 3 Report

This is a Trust Services Report which essentially covers the same subject matter as SOC 2, but the report does not include the same level of detail as the SOC 2. This report enables the service organization to publish a seal on their website indicating their compliance. This engagement is performed under the AT 101, Attest Engagements standard.

SOC for Cybersecurity

This report provides an opinion on the set of policies, processes and controls that your organization has in place to prevent cyberattacks. It is an evaluation of your organization’s cybersecurity program against industry best-practice benchmarks.

SOC for Vendor Supply Chain

Armanino will apply the SOC standards utilized in your organization to evaluate your vendors. This SOC report will give your board of directors and investors confidence in the control environments of your supply chain partners.

What are the differences between a  Type-1 and Type-2 reports?

Type-1 reports describe the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives and does not include any testing of the operating effectiveness of those controls. The report includes the service auditor’s opinion, management’s assertion and the description of the system.

Type-2 reports focus on both the design and operating effectiveness of controls over a period of time of at least six months. The report includes all of the information in a Type-1 report with the addition of the auditor’s testing of the operating effectiveness of those controls. From an auditor’s perspective, only the Type-2 report provides assurance over a service organization’s controls relative to its client’s financial transactions.

What are the key differences between the different  Types of SOC reports?


SOC1
  • Applicable Standard
    SSAE16
  • Scope
    Controls relevant to user entities financial statements (general IT controls and applicable financial controls)
  • Report Distribution
    Restricted use report
  • Report Content
    • Description of service organization’s system
    • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
    • A type 2 report includes a description of the CPA’s tests of controls and results

SOC2
  • Applicable Standard
    AT101
  • Scope
    Controls related to security, availability, processing integrity, confidentiality or privacy
  • Report Distribution
    Generally a restricted use report
  • Report Content
    • Description of service organization’s system
    • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
    • A type 2 report includes a description of the CPA’s tests of controls and results

SOC3
  • Applicable Standard
    AT101
  • Scope
    Controls related to security, availability, processing integrity, confidentiality or privacy
  • Report Distribution
    General use report (with a public seal)
  • Report Content
    • An unaudited system description used to delineate the boundaries of the system
    • CPA’s opinion on if the entity maintained effective controls over its system

What is a SOC readiness assessment?

A SOC readiness assessment is intended to assist service organizations in determining preparedness for a SOC 1, 2 or 3 audit. It is important to identify any weaknesses that may exist in the control environment in advance of any audit and a readiness assessment will provide time to remediate issues before the audit period. A readiness assessment is a detailed analysis of the current control environment to determine which controls are in place to meet the SOC audit objectives. Through this process, a report of findings and recommendations is generated to assist service organizations in ensuring that the SOC audit process runs as smoothly as possible.


How frequently do services organizations need to undergo SOC aduit?

Generally, service organization’s customers will want a completed SOC audit report at least on an annual basis. It is recommended that service organizations choose a period-end that will allow for a SOC compliance audit to be completed in advance of the majority of their customer’s year-ends. Some clients decide to have a report completed more frequently than annually to coincide with their multiple customers' financial reporting year-end.


What are some of the benefits for undergoing a SOC audit?

  • Demonstrate a strong control environment to your existing and potential future customers
  • Gain a competitive advantage when seeking to attract new customers
  • Avoid the expense and challenges of responding to multiple audit requests from your customers
  • Identify redundant or ineffective internal controls that could increase cost or risk to your business
  • Support your customers in meeting their regulatory requirements in a proactive manner
Experts
Todd Bishop - Risk Assurance & Advisory Services| Armanino
Partner
Todd is a partner in the Risk Assurance & Advisory practice, where he helps lead the firm’s internal audit, S...
Patrick Hall - Partner, Audit - San Ramon CA | Armanino
Partner

Patrick has more than 12 years of experience in public accounting. He specializes in insurance industry audits, havi...

Liam Collins - Partner, Audit - San Francisco CA | Armanino
Partner
Liam has more than 18 years of assurance and consulting experience, including 10 years with Big Four firms. He leads th...
Associations
microsoft logo square
The Microsoft SSPA initiative (formerly known as Vendor Privacy Assurance Program compliance) is designed to standardize and strengthen the handling of Microsoft customer, partner, and employee personal information by Microsoft vendors worldwide. Microsoft vendors who collect, store or process customer, partner or employee personal information are required to comply with the program.
Shared Assessments Program Logo
As the trusted source in third party risk assurance, the member-driven Shared Assessments Program has been setting the standard in third party risk assessments since 2005. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient means of conducting security, privacy and business resiliency control assessments.
AICPA SOC for Service Organizations Logo
The American Institute of Certified Public Accountants (AICPA) provides information to user auditors and service auditors on understanding and performing SOC for service organization engagements.
HITRUST Certification for SOC Audit
Armanino is approved to provide services using the HITRUST CSF™, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing organizations to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT) government (NIST, FTC) and other industry specific regulations and standards.
Need to Talk?

We're Here For You

If you have any questions or just want to reach out to one of our experts, use the form and we'll get back to you promptly.