Start your SOC Audit Preparation today!

ControlCase helps companies understand and prepare for their SOC Attestations

BEGIN YOUR SOC 2 COMPLIANCE JOURNEY NOW!

Full Name*
Business Email*
Company*
Phone Number*
Country*
Comments
This field is for validation purposes and should be left unchanged.

Automate Evidence Collection

ControlCase SOC 2 Type 2 examination is conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA).

The assessment aims to obtain reasonable assurance that an organization’s service/systems were designed and implemented based on the criteria set forth in DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report.

The assessment also provides assurance that service commitments and system requirements were achieved based on the applicable trust services criteria for Security, Availability, Processing Integrity, Confidentiality, and/or Privacy principles set forth in TSC 100, 2017 Trust Services Criteria.

Our offerings enable clients to effectively manage their IT Governance, Risk Management and Compliance Management efforts

1 On-time compliance to SOC 2 Type 2

2 Receive PCI DSS, ISO 27001, or HIPAA compliance reports as part of your assessment

3 Avoid checklist auditors – ControlCase uses a partnership approach

FREQUENTLY ASKED QUESTIONS

What does SOC stand for?

SOC stands for System and Organization Controls and represents a set of compliance standards developed by the American Institute of CPAs (AICPA) – a network of over 400,000 professionals across the globe. SOC Audits aim to examine the policies, procedures and internal controls of an organization.

Who does SOC 2 Apply To?

SOC 2 applies to any organization wanting to effectively demonstrate to associated organizations controls associated with regard to Security, Availability, Confidentiality, Processing Integrity and Privacy or any combination of these as part of third-party relationships. It is also applicable to organizations that store its customer data in the cloud as well as Third-party service providers such as cloud storage, web hosting and software-as-a-service (SaaS) companies.

What are the 3 SOC Audits & Reports?

SOC 1 – Reports on the processes and controls that influence the organization’s internal control over financial reporting (ICFR). SOC 1 is also a standard assessment report required by user entities to comply with Sarbanes-Oxley Act (SOX).
SOC 2 – Designed for service organizations and reports on non-financial controls. Focuses on five key trust services criteria (formerly called trust services principles), or TSCs. SOC 2 outlines the standards that are necessary to keep sensitive data private and secure while it’s in transit or at rest.
SOC 3 – SOC 3 is similar to SOC 2 in terms of the audit criteria. The main difference is in the reporting – SOC 2 is tailored for sharing with specific organizations, whereas SOC 3 reports are more applicable for general audiences and therefore made publicly available.

What are 2 Types of reports for SOC 1 and SOC 2?

Type 1 Report – Applicable when the service organization has not been in operation for a sufficient length of time to enable the service auditor to gather sufficient appropriate evidence regarding the operating effectiveness of controls, hence is “point in time”. The Type 1 Report is also for service organizations that have recently made significant changes to their system and related controls and do not have a sufficient history with a stable system to enable a type 2 engagement to be performed.
Type 2 Report – Applicable for service organizations that have a long running stable system capable of demonstrating the effectiveness in the design of controls over a defined period of time retrospectively, normally no less than 6 months and not longer than 12 months.

What is SOC 2 Compliance?

SOC 2 focuses on non-financial reporting of internal controls and systems. By complying with SOC 2 organizations protect the confidentiality and privacy of data that’s stored in cloud environments. Additionally, SOC 2 compliance helps service providers show that the privacy, confidentiality and integrity of customers’ data is a priority.

What SOC is NOT

SOC is not certification. SOC 1 and SOC 2 are ATTESTATIONS of the controls as defined being either functioning or not nor as designed.

What is SOC 2 Attestation?

SOC attestation is a type of audit report that attests to the trustworthiness of services provided by a service organization.

Who can perform a SOC 2 audit?

AICPA requires that SOC audits and reports are performed only by independent, licensed CPAs

How to lower cost for SOC 2 audit?

1. Security Expertise – It is important to find a knowledgeable partner that can assist in creating and implementing controls for SOC 2 type 2.
2. Collaborate – Ensure all business stakeholders are involved early and often. This will enable the prompt handing of strategic components and other key logistics on an ongoing basis.
3. Commitment – Ensure all stakeholders understand, agree and acknowledge the benefits of becoming SOC 2 attested. Establishing this will drive commitment to the project and ensure accountability.
4. Engage Leadership – Gaining buy-in from the highest levels of the organization as early as possible will help ensure resource allocation, budget and commitment from the rest of the team.

What is a SOC 2 Report?

There are 2 types of SOC 2 reports:
SOC 2 Type 1 – Outlines management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” This report evaluates the controls at a specific point in time.
SOC 2 Type 2 – Focuses not just on the description and design of the controls, but also actually evaluating operational effectiveness. The report evaluates controls over an extended period of time to ensure the effectiveness of the controls (potentially taking several months).