SOC Reporting (Landing Page)

SOC Reporting Services

As your company grows, the need for a SSAE 18 – System and Organization Controls (SOC) report increases. Not only are regulatory requirements increasing in complexity, but many of your clients may require assurance that your organization has effective controls and safeguards in place for the systems that store their data. Calvetti Ferguson skillfully provides SOC readiness and examination services. Our solutions emphasize consistency, efficiency and quality control from start to finish. We see SOC examinations as a collaborative process, and work with our clients throughout the examination to help ensure there are “no surprises”. Whether you’re looking to embark upon completing a SOC examination for the first time, or if you’re looking for more from your current SOC examiner, our team is ready to help! 

SOC 1

SOC 1 reports are prepared in accordance with SSAE 18. They are specifically intended to assist your clients in evaluating the effect of the internal controls at your organization on their financial reporting. A SOC 1 examination allows you to demonstrate to your clients that your internal controls are fairly presented, have been properly designed and have operated effectively throughout the period under review. These reports are intended to be used by management, your clients and their auditors.

SOC 2

SOC 2 reports are prepared for service organizations providing services to their clients for which a detailed understanding and assurance around internal controls at the organization is necessary. A SOC 2 examination allows you to provide information to your clients around internal controls which may be relevant to security, availability, processing integrity, confidentiality and privacy. These reports are intended to be used for vendor due diligence, organizational oversight, corporate governance / risk management and regulatory oversight.

The Process

We will utilize the below three-step process to customize the SOC reporting solution that meets your organizational needs.

Readiness Assessment

Service organizations taking on their first SOC examination will first need to ensure they are prepared for the road ahead. Readiness assessments may also be referred to as “gap assessments” and are designed to help organizations evaluate the current state of the processes and controls which would be in-scope for the examination. It is important to take this phase of the process seriously, otherwise, chances are that the service organization will be woefully unprepared and the results of the first examination may not be flattering.

 

  • Understanding the systems & processes which will be in-scope for the examination.
  • Identifying control objectives or criteria that will be in-scope for the examination.
  • Examining the initial state of the relevant internal controls present within the organization.
  • Providing recommendations for management on addressing any gaps or observations noted during the assessment.
Remediation

Now, it’s time to get to work on addressing items noted during the readiness assessment.

  • Management will begin addressing gaps that were identified during the initial readiness assessment.
  • Training should be provided for process owners to ensure adequate documentation is being created and retained, and that controls are being operated as described.
  • It is time to begin documenting the description of the systems and processes which will be included in the examination report.
Examination

At the final stage of the project, we are ready to begin the examination, here is what you can expect:

  • An initial documentation request list will be provided 6 weeks prior to the examination.
  • Schedule a planning meeting 2 weeks prior to the examination to discuss interview schedules & on-site logistics.
  • Review documentation, interview process owners, & observe the operation of controls.
  • Draft reports are issued within 3 weeks of fieldwork completion for management’s review.

Our Technology Risk Services team has helped many organizations with their SOC reporting including:

  • Application service providers
  • Bank trust departments
  • Claims processing centers
  • Cloud computing/SaaS provider
  • Data centers
  • Facilities management providers
  • Investment management firms
  • Managed service providers
  • Mortgage companies
  • Payroll providers
  • SaaS providers
  • Transportation and logistics companies

Contact Us

Our Technology Risk Services team has a breadth of experience in both Big 4 and middle market accounting firms providing SOC services. Whether you need SOC 1, SOC 2 or other type of SOC report, we have the experience and expertise to exceed your expectations. Interested in learning more? Complete the form below and a member of our team will reply promptly.