SOC 1 Examination
A SOC 1 report has many aliases (former SAS 70, SSAE 16, SSAE 18, and SSAE 19) but the purpose has not changed in many years. The report is most relevant to service providers that perform financial transactions processing or support a transaction processing system. SOC 1 reports are focused on service providers’ internal control over financial reporting. The SOC 1 is made up of control objectives that can be defined by the service provider or through the help of Pease, CPAs RAS team. Control objectives are further broken down into control activities that are in place to meet the intention of the control objective. Organizations that typically consider a SOC 1 include: third party administrators, payment processors, payroll providers, cloud ERP service providers, medical billing, and data center colocations.
SOC 2 Examination
SOC 2 reports can be applied to a broader range of service providers as the report is intended to address operational controls. The SOC 2 is made up of 5 Trust Service Categories (security, availability, confidentiality, processing integrity, and privacy) and a service provider can select which ones to report against (all SOC 2 reports must include the security category). Beneath each category are criteria that must be addressed by control activities at the service provider. Organizations that typically consider SOC 2 include: cloud service providers (SaaS, PaaS, IaaS), managed service providers, systems housing third party data and data center colocations.
SOC 3 Examination
A SOC 3 report is essentially a SOC 2 report but is available for general use and can be distributed on a website for the public to consume. (SOC 2 report are considered confidential as it includes a list of controls in place at the service provider). Like the SOC 2, a SOC 3 is made up of 5 Trust Service Categories where all are optional except for security. Organizations that typically consider SOC 3 include: cloud service providers (SaaS, PaaS, IaaS), managed service providers, systems housing third party data and data center colocations.
Other Attestation Reports
Pease CPAs provides our clients with compliance and attestation reports that cover a variety of security frameworks including CCPA, GDPR, GLBA, HIPAA, HITRUST, ISO 27001, NIST 800-53, and Sarbanes-Oxley (SOx)