SOC Examination Services

A System and Organization Control (SOC) audit provides transparency about your internal control environment and assurance that the controls in place are designed and operating effectively.

Weaver works to ensure our SOC examination services also add value by helping you improve your day-to-day operations and your competitive edge. We work to provide guidance that do more than just “check the box.” Rather, we consider your business as a whole and how SOC reporting can serve as a valuable tool for achieving your long-term strategic objectives.

All SOC examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE), which includes multiple unique reporting channels, each tailored to provide insight on your internal control environment.

Reporting Options

All System and Organization Control (SOC) examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 21. SSAE No. 21 includes multiple unique reporting channels, each tailored to provide insight on the internal control environment at the entity, service provider and supply chain levels.


SOC 1 SOC 1 SOC 2 SOC 2
Purpose Report on internal controls over services relevant to user entities (your customers) financial reporting. Report on internal controls over technical subject matter relating to information security and operational risks.
Reports Type 1 - Point in time
Type 2 - Period of time
(typically 6-12 months)
Type 1 - Point in time
Type 2 - Period of time
(typically 6-12 months)
Audience User entities of the outsourced service and their financial auditors. User entities for internal audit, due dilligence, ongoing vendor management, and regulatory compliance.

Note: Service organizations are those issuing the SOC report, user entities are those relying on the SOC report.

SOC 2: AICPA Trust Services Criteria

The Trust Services Criteria (the TSC) are used to evaluate and report on controls over information and systems across an entire entity, at the operating unit level, within a particular function, or for a particular type of information. The TSC are classified into five main categories:

Security
Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
Availability. Information and systems are available for operation and use to meet the entity’s objectives.
Processing Integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

 

SOC 2+ Additional Criteria

HIPAA Security
 
PCI DSS
 
HITRUST

ISO 27001
 
NIST-CSF
 
CSA-STAR

 

IT Advisory Services Thought Leadership

View All IT Advisory Services Thought Leadership Here.
LET US HELP YOU - CONTACT US

 

Neha Patel

Neha Patel

Partner-in-Charge, IT Advisory Services

Contact
LinkedIn
Bio

Neha Patel, CPA, CISA, CDPSE, has more than 17 years of experience in public accounting and internal audit, with an emphasis on…

Learn More