SOC Examination Services

A System and Organization Control (SOC) audit provides transparency about your internal control environment and assurance that the controls in place are designed and operating effectively.

Weaver works to ensure our SOC examination services also add value by helping you improve your day-to-day operations and your competitive edge. We work to provide guidance that do more than just “check the box.” Rather, we consider your business as a whole and how SOC reporting can serve as a valuable tool for achieving your long-term strategic objectives.

All SOC examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE), which includes multiple unique reporting channels, each tailored to provide insight on your internal control environment.

Reporting Options

All System and Organization Control (SOC) examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 21. SSAE No. 21 includes multiple unique reporting channels, each tailored to provide insight on the internal control environment at the entity, service provider and supply chain levels.

	SOC 1	SOC 2
Purpose	Report on internal controls over services relevant to user entities (your customers) financial reporting.	Report on internal controls over technical subject matter relating to information security and operational risks.
Reports	Type 1 - Point in time Type 2 - Period of time (typically 6-12 months)	Type 1 - Point in time Type 2 - Period of time (typically 6-12 months)
Audience	User entities of the outsourced service and their financial auditors.	User entities for internal audit, due dilligence, ongoing vendor management, and regulatory compliance.

Note: Service organizations are those issuing the SOC report, user entities are those relying on the SOC report.

SOC 2: AICPA Trust Services Criteria

The Trust Services Criteria (the TSC) are used to evaluate and report on controls over information and systems across an entire entity, at the operating unit level, within a particular function, or for a particular type of information. The TSC are classified into five main categories:

Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.

Availability. Information and systems are available for operation and use to meet the entity’s objectives.

Processing Integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.

Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

 

SOC 2+ Additional Criteria

HIPAA Security

PCI DSS

HITRUST

ISO 27001

NIST-CSF

CSA-STAR