SOC 1 & SOC 2
Systems & Organization Control Engagements
In today’s data-driven world, safeguarding sensitive data and having robust systems and controls is essential. Nawrocki Smith provides SOC 1 and SOC 2 attestation services, helping organizations demonstrate the reliability of their systems and controls. Your SOC is required for regulatory and compliance initiatives, but it will also demonstrate to your existing and prospective clients that you care about the security and privacy of their data, information and tasks they entrust with you.
Does your Organization need a SOC Report?
If your organization performs services for clients, is responding to client questionnaires on your IT policies or other processes, stores sensitive data, and is connected to the internet, then you may need an independent examination of your Systems and Organization Controls (SOC) performed by a Certified Public Accountant.
What are SOC Reports?
SOC 1 Examination – Internal Control Over Financial Reporting
A SOC 1 report is used to convey your systems and controls related to internal control over financial reporting. The report can be provided to your clients and used in your client’s financial audits to assist their auditors in assessing risks related to internal control. The report assists you and your customer’s evaluation of your internal controls over financial reporting for compliance purposes and to keep your systems and data safe.
SOC 2 Examination – Trust Services (TS)
The SOC 2 report focus is related to systems and controls to achieve the relevant Trust Services Principles and Criteria needed by the organization. They can be performed for one or more of the following trust service principles and criteria:
| Security. | Is the system protected against unauthorized access (physical and logical)? |
| Availability. | Is the system available for operation and use as committed or agreed? |
| Processing Integrity. | Is system processing complete, accurate, timely, and authorized? |
| Confidentiality. | Is confidential information protected as committed and agreed? |
| Privacy. | Is personal information collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants? |
When determining the report that is appropriate for your organization, consider the following:
- What are the reason(s) and driving the need for the report?
- If customers or clients are requesting it, what will they be using the report for?
- What are your risks, customer’s concerns about systems, what controls are needed to meet service commitments and what are the risks when providing your services?
Be sure to consult with your Certified Public Accountants when making the determination of which report is right for your organization..
Let's Discuss Your Accounting and Advisory Needs.
We're Ready to Help You Make Better Decisions and Reduce Risk.
Contact Us