Verification and Assurance for your Security and Controls
Does your organization process payments, host data or conduct other outsourced services for clients? Have customers asked questions about your security and controls? Do you need to provide verification to government regulators? A System and Organization Controls (SOC) report provides third-party peace of mind, satisfies regulatory compliance and serves as a universally recognized seal of approval for internal controls and security protocol.
SOC reports are complex and cover a wide range of objectives and controls, so it is important to work with an assurance professional well-versed in quality standards and reliable output. RKL’s IT analysts and assurance professionals combined have nearly two decades of experience conducting SOC reports, and they can help you determine which type of SOC report works best for your requirements and goals.
SOC Report: Which Type Does Your Organization Need?
SOC 1
What is it? An assurance tool for financial reporting designed by the American Institute of Certified Public Accountants (AICPA).
Who needs one? Any organization that is processing data or generating information specific to the data (i.e. billing) on behalf of another organization.
What does it cover? At least six months of information that is material and impactful to the financial statement.
SOC 2
What is it? Also designed by AICPA, SOC 2 tests controls related to five principles for data (security, availability, confidentiality, privacy, processing integrity).
Who needs one? Any organization that is holding or processing data on behalf of another organization.
What does it cover? At least two months of technical controls for data storage and/processing (not financial information).
Why RKL for SOC Reporting?
A SOC report is an assurance and compliance requirement, though to the team at RKL, it represents far more. It is a demonstration of your organization’s commitment to transparency and governance and is a trust signal in a time of increasing awareness around safety and security. Working with RKL, you can expect a thorough and proactive experience centered on these core principles:
- Transparency: We start each SOC engagement with a review of existing reports (if available) to obtain a full picture of your organization’s control environment and how it has previously been evaluated. This allows us to identify any gaps in prior SOC reports and align with management around objectives and controls that need to be tested. In the absence of a previous report, we look at other process narratives, documents and established procedures to leverage existing efforts and streamline the assessment.
- Timeliness: SOC 1 reports have hard deadlines related to financial statement preparation and review. Regulatory compliance requirements may also come with their own timetables. Whatever the requirement, our team will meet it without cutting corners to produce a thorough and reliable assurance opinion.
- Quality: The AICPA sets high standards for SOC Reports and RKL uses those as the floor, not the ceiling. We are committed to delivering a comprehensive report that assuages security and safety concerns and drives ongoing value for your organization and your clients.
