MOD

Auditing and reporting designed for modern businesses

Connect with Us

We are industry leaders in quality SOC Reporting

SOC 1

Demonstrates your company’s commitment to accurately ingesting, processing, storing, and reporting your customer’s data — especially if that data is used in your customer’s own financial reporting.

Learn More

SOC 2

Shows your company’s commitment to handling customer data appropriately, with respect to Security, Availability, Confidentiality, Processing Integrity, and/or Privacy domains.

Learn More

SOC 3

Provides a high-level overview of your data handling practices, without revealing sensitive details, for public-facing reporting.

Learn More

SOC Report Coverage Options

Type 1

Provides an opinion on the design of controls at a specific point in time.

Type 1

  • Point-in-time test
  • Must have all controls in place by the "As Of" date
  • Must demonstrate that controls are implemented (not just described in a policy)
  • Don't have to show consistency of controls over time
  • Great way to ease into SOC reporting
  • Option not available for SOC 3

Type 2

Provides an opinion on the design and operating effectiveness of controls over a period of time.

Type 2

  • A "period of time" test
  • Must demonstrate consistent execution of controls
  • Auditors can sample, but don’t have to
  • Any instance of a control not in place must be reported as a deviation on the report
  • Not all deviations are weighted equally
  • "A qualified" report is when deviations are severe enough that a specific Trust Services Criteria is not met
  • 1 year is the standard period of time coverage, but could be as little as 3 months for your first one
  • Typically repeats the same 1 year window each year to show maturity

Additional Frameworks

HIPAA

Maps well with the SOC 2 Security and Availability domains

Showcase your compliance with the HIPAA Security and Privacy Rule by:

  • Adding it to the scope of your SOC 2 audit and include it in your SOC 2 report, called a SOC 2+ (“SOC 2 Plus”)
  • Having an auditor perform a stand-alone audit for HIPAA using the AT-C 315 report format

GDPR

Maps well with the SOC 2 Security and Privacy domains

Showcase your compliance with the GDPR by:

  • Adding it to the scope of your SOC 2 audit and include it in your SOC 2 report, called a SOC 2+ (“SOC 2 Plus”)
  • Having an auditor perform a stand-alone audit for GDPR using the AT-C 315 report format

ISO 27001

Maps well with the SOC 2 Security domain

  • Pursue an ISO 27001 certification, or
  • Add it to the scope of your SOC 2 audit and include it in your SOC 2 report, called a SOC 2+ (“SOC 2 Plus”)

Ready to get started?

Let’s talk about how Modern Assurance can simplify your next SOC or compliance audit.

Email Us