Two Types of Reports
SOC 2 Type I reports identify whether the service organizations' internal controls are appropriately designed as of a specified date in time. SOC 2 &3 Type II reports identify whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months but can be as few as 2 months, and if the controls are operating with sufficient effectiveness during the same period.
SOC 2 & SOC 3 Differences
SOC 2 reports are intended only for the service organization's customers, while SOC 3 reports can be freely distributed or posted on a Web Site and with a SysTrust seal. Additionally, SOC 3 reports do not contain a detailed description of the service auditor’s tests.
Who should consider getting a SOC 2 & 3 Audit?
Service organizations hosting or processing sensitive non-financial statement data belonging to customers who want to demonstrate effective internal controls or those with closely regulated customers who must submit reports on internal controls over sensitive data to regulatory agencies.
What are the Benefits
Independent, third-party assurance of adequate internal controls; a demonstration that a sound internal control environment over non-financial reporting data exists; builds trust and strengthens relationships with customers; reduces strain on your organization by eliminating multiple visits from your customers’ auditors; and identifies opportunities for improvement in business process and management of information technology operations
The Rehmann Approach
Phase I - Project Planning
Develop project scope of work; define roles and responsibilities; gain an understanding of key business processes and related information technology controls.
Phase II - Readiness Assessment (If requested)
Evaluate the selected business processes and information technology controls; identify control deficiencies, if any; communicate control deficiencies to management; review management’s control remediation; and assist in compiling documentation to support the description of controls
Phase III - Perform the SOC 2 or 3 Audit
Obtain management's assertion of the system description and internal controls, assess the suitability of the criteria used by management to prepare its description of controls, by using AICPA/CICA standards; obtain an understanding of the service organization’s system; obtain evidence of management’s description of the service organization’s system; obtain evidence of the design of controls; obtain evidence of the operating effectiveness of controls (Type II); investigate the nature and cause of deviations, if any; and prepare the service auditor's report.