Standards for Attestation Engagements 18 (SSAE 18) is an attestation standard where a certified auditor thoroughly examines a service organization and issues a report of internal controls for businesses activities being conducted in the service organization. This is called a System and Organization Control or SOC Report.

There are three major SOC reports.

SOC 1: examines business controls at a service organization that are relevant for financial reporting for the client

SOC 2:  examines internal controls at a service organization to ensure compliance to at least one of the Service Trust Principles.

SOC 3: A General use report that assures the service organization’s compliance to the Service Trust Principles.

Additionally, there is also the SOC for Cyber Security that examines the service organization’s cyber security risk management program and other process controls.

No. SOC 1 and SOC 2 reports cannot be used for marketing. SOC 3 report is meant for general purpose and can be used for marketing.

Your SOC audit depends on the nature of work your startup is involved in. If you handle financial information, SOC 1 will be needed. But if you handle or process any kind of data that your client believes is sensitive, then you will need SOC 2.

Any service organization that requires its controls to be independently verified require a SOC audit. Common examples of industries that require SOC audits are payroll, banks, real estate, advertising, loan servicing, data centres etc.

SOC audits are conducted to get a ‘unqualified’ opinion from the auditor, meaning that all controls exist and are operating effectively in the organization. A ‘modified’ opinion means that one or more of the controls were found to be ineffective. An ‘adverse’ opinion means that the auditor could not identify any controls operating effectively in the organization.

A SOC audit independently verifies that your organization’s policies and controls are in place and are effectively working. All audits push organizations to improve their processes and, therefore, drive efficiency. Upon audit completion, your organization will have a distinct advantage over your competitors.

SOC guidesare available in electronic as well as print versions online at the AICPA store.

You must carry out a readiness audit first to gauge whether your organization is really ready to undergo a SOC audit. This will allow you to make any changes necessary to your organization’s policies and controls, prior to the actual audit process.

There are many determining factors of a SOC report such as size of the organization, controls in place, type of report that needs to be generated (Type I and Type II) etc. Do contact us for further details of pricing.