System and Organization Controls (SOC) Reporting

SOC FOR SERVICE ORGANIZATIONS

• SOC 1^®: An examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, Statement on Standards for Attestation Engagements ("SSAE"). This is intended to be a SOC report from the service organization’s auditor to its customers’ auditor.
• SOC 2®: An evaluation of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers. Also based on AICPA’s SSAE guidance for auditors, this is intended to be a SOC report from the service organization’s management to its customers’ management (not auditor to auditor).
• SOC 3®: This covers the same scope as SOC 2®, but with the exception that the SOC report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.

CYBERSECURITY SOC

This Cybersecurity SOC report is similar to a SOC 2®, but it is intended for a broader audience (your customers and their auditors) that are interested in knowing about your company’s SOC compliance and risk management program for cybersecurity, including information about your systems, processes and controls for detecting, preventing and responding to breaches.

SOC FOR SUPPLY CHAINS

This is a voluntary framework that might be the most efficient approach for your organization to:

• Communicate information to your customers about your manufacturing, production, and/or distribution systems, as well as the effectiveness of your controls to mitigate supply chain risks; and
• Obtain information from your suppliers to gain an understanding of the risks of doing business with them.

Before this framework, most organizations would typically rely on a variety of non-standard and other sources to obtain an understanding of supply chain risks – information provided by the supplier themselves, the organization’s internal auditor findings from assessments performed at each (or key) suppliers, or other programs such as from the International Organizations for Standardization (“ISO”) certification.

FGMK SOC COMPLIANCE, EXAMINATION AND REPORTING SERVICES

FGMK understands how critical your projects and programs are to your organization’s success. Our team designs efficient SOC compliance and reporting processes tailored to your needs:

EXAMINATION –

We perform our SOC examination under the AICPA's SSAE guidance for auditors. Our experienced SOC professionals make the examination easier for you from planning through completion. We leverage our tools and templates to execute our controls testing in an efficient and effective manner so you can stay focused on running your business. We understand that SOC reports are a reflection of both your service organization and FGMK, so we focus on preparing SOC reports you will be proud to share with your customers.

READINESS –

We help you identify and document controls to meet your SOC compliance objectives. We have the tools, templates and experience to help you right size your SOC solution according to your requirements. We leverage our deep understanding of business processes and information technology to assist you in identifying controls to mitigate risks in your environment.

TECHNOLOGY –

Regardless of the type of SOC report your company needs, information technology systems and security are at the core. We combine technology and IT audit skills with the knowledge necessary for a complete SOC compliance and cybersecurity SOC strategy. We also leverage third-party tools that bring efficiencies to both you and FGMK throughout the SOC examination.