Holmes, Logo
SOC 2

  Who Are the Users Why What
SOC 1® Users' controller's office and user auditors Audits of f/s Controls relevant to user financial reporting
SOC 2® Management
Regulators
Others
GRC programs
Oversight
Due diligence
Concerns regarding security, availability, processing integrity, confidentiality or privacy
SOC 3® Any users with need for confidence in service organization's controls Marketing purposes;
detail not needed
Easy-to-read report on controls

SOC 1 & 2 Audits

SOC 1
Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1® reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organization, to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1® report is restricted to existing user entities (not potential customers) and their auditors.

SOC 2
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: SOC 2® reports are examination engagements performed by a service auditor (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Questions & Answers). SOC 2® reports specifically address one or more of the following five key system attributes: Security, Aavailability, Processing Integrity, Confidentiality, and Privacy.

SOC 3
Trust Services Report for Service Organization: SOC 3® reports are examination engagements performed by a practitioner (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Questions & Answers). A SOC 3® report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system provided. SOC 3® reports can be issued on one or more of the Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

Contact us to learn more about SSAE 18 audits.