System and Organization Controls: SOC Suite of Services
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.
Learn more about the SOC suite of services, below:
SOC for Service Organizations
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service
- SOC 1®— SOC for Service Organizations: ICFR
- SOC 2®— SOC for Service Organizations: Trust Services Criteria
- SOC for Service Organizations: SOC 2® HiTrust
- SOC for Service Organizations: SOC 2® CSA STAR Attestation
- SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
SOC for Cybersecurity
A reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders
Under Development: SOC for Supply Chains
An internal controls report on an entity's system and controls for producing, manufacturing or distributing goods to better understand the cybersecurity risks in their supply chains.
Resources
- Exposure Draft: Proposed description criteria for a desctiption of an entity's production, manufacturing, or distribution system in a SOC for supply chain report
- Brochure: SOC 2® and SOC for Cybersecurity: How they’re different and how they can help.
- Whitepaper: SOC 2® examinations and SOC for cybersecurity examinations: Understanding the key distinctions
- Mappings relevant to the SOC Suite of Services
Formerly, SOC referred to service organization controls.