SOC 1/SOC 2/SOC 3/SSAE 18

The continued rise in cyber attacks and resulting regulations have made the controls surrounding the protection of data a primary concern for the Board of Directors. As a result, vendor management practices now require that a SOC 1 and often a SOC 2 be performed.

InfoSight has expert knowledge in SOC 1, 2, and 3 requirements and can help you decide what type of review should be performed. Based upon your operating environment, we can help you decide what trust principles should be reviewed, as well as what assurances you need from vendors to whom you subcontract. We can also share insight on what your customers' auditors are looking for.

InfoSight can help with:

  • SSAE 18 SOC Type I and II Review in accordance with AICPA SSAE No. 16; reporting on controls at a service organization.
  • SOC 2, Type I and II Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA guide, reporting on controls at a service organization relevant to security, availability, integrity, confidentiality, or privacy.
  • SOC 3 Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA technical practice aid, trust services principles, criteria, and illustrations.
Criteria
SOC 1
SOC 2
SOC 3
Intended Users Current Customers Current Customers and Other Users Current or Prospective Customers
Subject of Opinion Controls Relevant to Financial Reporting Control Relevant to Trust Principles No Opinion is Provided
Scope of Review Environmental, Processing, and Limited IT Controls Environmental, and One or More Trust Principles' Controls One Trust Principle
Type I - Assessment of Design Yes Yes N.A. High Level Assessment
Type II – Assessment of Design and Operating Effectiveness Yes Yes N.A. High Level Assessment


A SSAE 18 (SOC 1) provides your current customers and their auditors with an opinion of controls relevant to financial reporting. However as a third party service provider, you may also be required to have a SOC 2 review performed which reports on the controls related to security, availability, processing integrity, confidentiality, or privacy based upon the services you provide.

Contact us to learn more or for expert assistance.