The continued rise in cyber attacks and resulting regulations have made the controls surrounding the protection of data a primary concern for the Board of Directors. As a result, vendor management practices now require that a SOC 1 and often a SOC 2 be performed.
Megahertz has expert knowledge in SOC 1, 2, and 3 requirements and can help you decide what type of review should be performed. Based upon your operating environment, we can help you decide what trust principles should be reviewed, as well as what assurances you need from vendors to whom you subcontract. We can also share insight on what your customers’ auditors are looking for.
Megahertz can help with:
- SSAE 18 SOC Type I and II Review in accordance with AICPA SSAE No. 16; reporting on controls at a service organization.
- SOC 2, Type I and II Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA guide, reporting on controls at a service organization relevant to security, availability, integrity, confidentiality, or privacy.
- SOC 3 Review in accordance with AICPA Standards AT 101; attestation engagements and the AICPA technical practice aid, trust services principles, criteria, and illustrations.
|Criteria||SOC 1||SOC 2||SOC 3|
|Intended Users||Current Customers||Current Customers and Other Users||Current or Prospective Customers|
|Subject of Opinion||Controls Relevant to Financial Reporting||Control Relevant to Trust Principles||No Opinion is Provided|
|Scope of Review||Environmental, Processing, and Limited IT Controls||Environmental, and One or More Trust Principles’ Controls||One Trust Principle|
|Type I – Assessment of Design||Yes||Yes||N.A. High Level Assessment|
|Type II – Assessment of Design and Operating Effectiveness||Yes||Yes||N.A. High Level Assessment|
A SSAE 18 (SOC 1) provides your current customers and their auditors with an opinion of controls relevant to financial reporting. However as a third party service provider, you may also be required to have a SOC 2 review performed which reports on the controls related to security, availability, processing integrity, confidentiality, or privacy based upon the services you provide.
Contact us to learn more or for expert assistance.