SOC
SOC – System and Organization Controls
Building Trust and Confidence in Third-Party Relationships
In a global economy, businesses must have trust and confidence in their partners and vendors. SOC reports enable organizations to demonstrate to both customers and prospects the controls and safeguards for managing their data and/or infrastructure.
Our Services include:
SOC Gap Assessments
Scope includes:
Project planning and management
Scope assessment
Identification of relevant control objectives and domains
and more…
SOC 1
Scope includes:
Internal controls over financial reporting
Type 1 or Type 2
and more…
SOC 2
Scope includes:
Trust Services Criteria
Security, Availability, Processing Integrity, Confidentiality, Privacy
and more…
SOC 3
Scope includes:
Trust Services Criteria
Summarized SOC 2
and more…
Schedule a Meeting With Us
SOC Gap Assessments
SOC Gap Assessments assist service organizations in assessing their preparedness for a SOC audit. Gap Assessments identify those controls that should be implemented or improved prior to an actual audit. Gap assessments also help your organization mitigate the risk of a qualified opinion or reporting exceptions.
Independent SOC assessments have become an important part of building trust between service providers and their clients. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relate to operations and compliance.
Scope includes:
Project planning and management
Scope assessment
Identification of relevant control objectives and domains
Interviews and questionnaires for information gatheringDetailed descriptions of your controlsIdentification of controls in place for each in-scope control objectivePrioritized remediation of control gaps and recommended enhancementsSOC 1
SOC 1 reports are examination engagements undertaken by a service auditor to report on a service providers controls that are relevant to user entities’ internal control over financial reporting. The services can only be delivered by a licensed firm such as TrustNet.
Gap Assessments
Help your organization assess the controls in place and mitigate the risk of a qualified opinion or reporting exceptions
Type 1
Report on the service organizations description of controls and the suitability of the design of the controls to achieve the related control objectives as of a specified date
Type 2
Report on the service organizations description of controls and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives over a specified period of time
SOC 2
SOC 2 reports are examination engagements undertaken by a service auditor to report on the service organization’s operational controls to meet the selected Trust Services Criteria. The services can only be delivered by a licensed firm such as TrustNet.
Gap Assessments
Help your organization assess the controls in place and mitigate the risk of a qualified opinion or reporting exceptions
Type 1
Report on the service organizations description of controls and the suitability of the design of the controls to achieve the related control objectives as of a specified date
Type 2
Report on the service organizations description of controls and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives over a specified period of time
SOC 2 Trust Services Criteria
Security
The system is protected against both physical and logical unauthorized access
Availability
The system is available for operation and use as committed or agreed
Processing Integrity
System processing is complete, accurate, timely and authorized
Privacy
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in privacy principles
Confidentiality
Information designated as confidential is protected as committed or agreed
SOC 3
SOC 3 reports are engagements undertaken by a service auditor to report on the service organization’s operational controls to meet the selected Trust Services Criteria. The services can only be delivered by a licensed firm such as TrustNet.
SOC 3 Trust Services Criteria
Security
The system is protected against both physical and logical unauthorized access
Availability
The system is available for operation and use as committed or agreed
Processing Integrity
System processing is complete, accurate, timely and authorized
Privacy
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in privacy principles
Confidentiality
Information designated as confidential is protected as committed or agreed
SOC 3 Services Include
Gap Assessments
Assess the controls in place to meet the Trust Services Criteria with the goal to ensure preparedness for the SOC 3 examination and help mitigate the risk of a qualified opinion or reporting exceptions
SOC 3
Report on the service organization’s operational controls pertaining to the suitability of the design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria over a specific period of time. Unlike the SOC 1 and SOC 2, there is no point-in-time “Type 1” examination for a SOC 3 assessment
Which SOC Report is right for you?
SOC 1
Scope includes:
Internal controls over financial reporting
Type 1 or Type 2
and more…
SOC 2
Scope includes:
Trust Services Criteria
Security, Availability, Processing Integrity, Confidentiality, Privacy
and more…
SOC 3
Scope includes:
Trust Services Criteria
“Summarized SOC 2”
and more…
Type 1 Assessment
Scope includes:
At a point in time
Type 2 Assessment
Scope includes:
Over a period of time
SOC for AWS
With the growing migration to cloud hosting, many companies are operating their systems on Amazon Web Services (AWS). AWS provides a comprehensive set of cloud services for information technology professionals to build, deploy, and manage their applications. AWS has a vast network of secure and redundant data centers that help ensure the safety of their data. Additionally, AWS has undergone SOC audits that demonstrate to their clients and investors that their infrastructure is completely secure. While this makes AWS SOC compliant, the audit does not extend to their cloud customers. This is where an experienced independent third-party, like TrustNet, becomes of value.
AWS FAQ’s
Does AWS' SOC report make you SOC compliant?
No. Even though your services are built with AWS, your organization has not gone through a SOC audit. When undertaking a SOC audit, the majority of the audit must be passed by the cloud customer. The cloud customer is responsible for implementing administrative policies and internal security controls. TrustNet, a leading provider of SOC 2 audits, has extensive knowledge and experience in assisting companies operating in the AWS cloud environment.
What parts of your SOC audit are covered by AWS?
Parts of your audit are covered through what is commonly known as “a carve-out.” AWS is responsible for some of the controls that will meet SOC 2 criteria, such as physical compliance safeguards. Your business however will need to go through the rest of the audit for you to be SOC compliant.
What will a SOC audit cost me?
Since you have used AWS for part of your controls, you will have fewer controls to comply with. Additionally, you may be able to “carve-out” additional controls based on your service providers, thereby reducing your total number of controls that need to be audited.
TrustNet offers premium pricing for companies utilizing AWS. Please refer to the SOC pricing page for additional pricing information.
The SOC Timeline
Phase 1 - Readiness Assessment
Elapsed Time: (3 to 6 Weeks)
Onsite and offsite assessment
Types of Gaps
Documentation (Policies and Procedures)
Configuration
Audit Trail
Technical Tools
Phase 2 - Remediation
Elapsed Time: (2 to 8 Weeks)
Client execution
Technical tools
Implement procedures
Document policies and procedures
Configuration
Audit trail – retention of artifacts
Phase 3 - Assessment and Reporting
Elapsed Time:
Type 1: (4 to 6 Weeks); Type 2: (7 months);
Type 1: (4 to 6 Weeks); Type 2: (7 months);
Includes onsite assessment (required)
1st round of testing
2nd round of testing
Why Clients Choose TrustNet
TrustNet serves clients of all sizes, across multiple industries with extensive expertise and over a decade of experience. We provide deep experience, efficiency, and quality professional services. Just ask our clients.
Schedule a Meeting With Us