Gain Customer Confidence and Business Advantage with a Lazarus Alliance SOC 1 or SOC 2 audit. Call +1 (888) 896-7580 today!
We prioritize cybersecurity compliance as our primary focus, while operating as a fully licensed CPA firm to deliver comprehensive audit services. With over 25 years of hands-on cybersecurity expertise, Lazarus Alliance’s team of seasoned professionals—including certified experts in information security and risk management—brings deep industry knowledge across sectors like technology, finance, healthcare, and government. We’re fully dedicated to guiding your SOC 1 and SOC 2 audit success, whether you operate in the private or public sector, and we’re ready to collaborate closely with your organization to achieve lasting compliance goals.
System and Organization Controls (SOC) reports provide assurance that service providers, or prospective providers, operate ethically and in compliance with standards. While the term "audit" may carry a negative connotation, SOC reports enhance a service provider’s credibility and trustworthiness, offering a competitive edge that justifies the investment of time and resources.
Frequently Asked Questions
What is the difference between SOC 1 and SOC 2?
SOC 1 and SOC 2 are both Service Organization Control reports issued by the American Institute of Certified Public Accountants (AICPA), but they serve different purposes. SOC 1 focuses on internal controls over financial reporting (ICFR), primarily for organizations that provide services impacting their clients’ financial statements, such as payroll or payment processing. It ensures controls are designed and operating effectively to support accurate financial reporting. SOC 2, on the other hand, addresses controls related to security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems, based on the Trust Services Criteria (TSC). It is relevant for technology and cloud-based companies handling sensitive customer data, emphasizing operational and data protection controls rather than financial reporting.
What is a SOC 3 report?
A SOC 3 report is a general-use report that summarizes the results of a SOC 2 examination, designed for public distribution. Unlike SOC 2 reports, which are detailed and restricted to specific stakeholders (e.g., clients or auditors), SOC 3 reports provide a high-level overview of an organization’s controls related to the Trust Services Criteria (security, availability, processing integrity, confidentiality, and/or privacy) without disclosing sensitive details. They are often used for marketing purposes, allowing organizations to demonstrate compliance to customers, partners, or the public. A SOC 3 report may also include a seal of certification for display on a company’s website.
What is the difference between SOC 2 Type 1 and Type 2?
SOC 2 Type 1 and Type 2 reports both evaluate an organization’s controls based on the Trust Services Criteria, but they differ in scope and timing. A SOC 2 Type 1 report assesses the design and implementation of controls at a specific point in time, providing a snapshot of whether the controls are suitably designed to meet the criteria. A SOC 2 Type 2 report evaluates both the design and operating effectiveness of those controls over a period of time, typically 6 to 12 months. Type 2 reports provide greater assurance, as they demonstrate that controls function consistently and effectively over time.
What are the SOC 2 Trust Services Criteria (TSC)?
The SOC 2 Trust Services Criteria (TSC) are a set of principles established by the AICPA to evaluate the controls of a service organization. The five criteria are:
-
Security: Systems and data are protected against unauthorized access and other risks that could compromise data integrity or availability.
-
Availability: Systems are available for operation and use as agreed upon, often addressing uptime and disaster recovery.
-
Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the organization’s objectives.
-
Confidentiality: Information designated as confidential is protected to meet the organization’s commitments and requirements.
-
Privacy: Personal information is collected, used, retained, disclosed, and disposed of in accordance with the organization’s privacy policies and applicable regulations.
All SOC 2 reports must address the Security criterion, while the others are optional based on the organization’s services and client needs.
How long is a SOC 2 report valid?
A SOC 2 report is typically valid for 12 months from the date of issuance, covering the period evaluated in the report (for Type 2) or the point-in-time assessment (for Type 1). However, validity can depend on the context in which the report is used. Clients or stakeholders may request a new report if significant changes occur in the organization’s systems, controls, or operations that could affect compliance. Organizations often undergo annual SOC 2 audits to maintain compliance and provide updated reports to stakeholders.
What is a SOC 2 auditor certification?
There is no specific “SOC 2 auditor certification” for individuals. SOC 2 audits must be performed by a licensed Certified Public Accountant (CPA) or a CPA firm that adheres to AICPA standards. The CPA or firm must have expertise in SOC auditing and follow the AICPA’s guidelines for Service Organization Control engagements. While CPAs may hold certifications like Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM), these are not specific to SOC 2 but demonstrate relevant expertise in IT auditing and security. The AICPA provides guidance and training for CPAs conducting SOC 2 audits, but the audit itself is conducted under the CPA’s professional licensure.
Lazarus Alliance Services
Lazarus Alliance's role in conducting SOC 1 and SOC 2 audits is to provide independent, objective assurance on the controls of a service organization, ensuring they meet the standards set by the American Institute of Certified Public Accountants (AICPA). Below is a concise explanation of their roles for each audit type:
SOC 1 Audit
A SOC 1 audit focuses on controls relevant to a service organization's financial reporting, particularly for clients whose financial statements are affected by the service organization's controls (e.g., payroll processors, data centers).
Lazarus Alliance's Role:
- Planning and Scoping: Assess the service organization’s processes, identify controls relevant to financial reporting, and define the audit scope (e.g., specific systems or services).
- Risk Assessment: Evaluate risks that could impact the reliability of financial reporting and determine key controls to test.
- Testing Controls: Perform procedures (e.g., inquiries, inspections, observations, or reperformance) to verify the design and operating effectiveness of controls (Type II) or only the design (Type I).
- Evidence Collection: Gather documentation, such as policies, procedures, and system logs, to support findings.
- Reporting: Issue a SOC 1 report, including the auditor’s opinion on whether controls are suitably designed and, for Type II, operating effectively over a period. The report includes a description of the system, controls, and test results (if applicable).
- Advisory (Optional): Provide recommendations for improving controls, though this is separate from the audit to maintain independence.
SOC 2 Audit
A SOC 2 audit evaluates controls related to security, availability, processing integrity, confidentiality, and/or privacy, based on the AICPA’s Trust Services Criteria. It’s relevant for organizations handling sensitive data (e.g., cloud service providers, SaaS companies).
Lazarus Alliance's Roles:
- Planning and Scoping: Work with the organization to define the scope, including which Trust Services Criteria to evaluate and which systems or services are included.
- Risk Assessment: Identify risks related to the selected criteria and assess the design of controls to mitigate those risks.
- Testing Controls: Conduct tests to evaluate the design (Type I) and operating effectiveness (Type II) of controls, using methods like sampling, walkthroughs, and reviewing system configurations.
- Evidence Collection: Collect and analyze evidence, such as access logs, incident reports, or encryption protocols, to validate control effectiveness.
- Reporting: Issue a SOC 2 report with an opinion on the controls’ design and effectiveness, a system description, and, for Type II, detailed test results. The report is typically restricted to authorized users (e.g., clients or regulators).
- Advisory (Optional): Offer guidance on addressing control gaps or improving security practices, while maintaining auditor independence.
Key Differences in Roles
- Focus: SOC 1 addresses financial reporting controls, while SOC 2 focuses on operational and compliance controls (security, availability, etc.).
- Audience: SOC 1 reports are primarily for clients’ financial auditors, while SOC 2 reports are for clients, regulators, or partners concerned with data security and privacy.
- Criteria: SOC 1 uses control objectives defined by the service organization, while SOC 2 uses standardized Trust Services Criteria.
General Responsibilities for Both
- Independence: Maintain objectivity and avoid conflicts of interest, adhering to AICPA standards.
- Expertise: Apply knowledge of IT systems, internal controls, and industry standards to ensure a thorough audit.
- Communication: Engage with the service organization to clarify expectations, discuss findings, and ensure accurate reporting.
- Compliance: Follow AICPA’s SSAE 18 (for SOC 1) or AT-C standards (for SOC 2) to ensure the audit meets professional requirements.
Lazarus Alliance is a CPA firm with specialized IT audit expertise, ensure that SOC 1 and SOC 2 reports provide reliable assurance to stakeholders about the service organization’s controls.
Cost Reductions
We work smarter, not harder, to drive down your costs by giving you access to Continuum GRC's ITAM application, the number one ranked SOC-ready SaaS GRC audit software solution. This solution is the only FedRAMP-certified assessment application tailor-made for the SOC.
Proactive not Reactive
We work with our SOC clients proactively throughout the year to help prevent threats to your SOC compliance program.
With the time and expense required to remain SOC attested, you don't want to risk a compliance exposure that would drive up your costs and invalidate your valuable achievement.
Start to Finish in Record Time
Our proven SOC assessment approach and technology dramatically improve the completion process. We average a huge 46% reduction in the traditional assessment time due to our critical path methodology, proactive philosophy, and usage of the Continuum GRC ITAM platform. You have 24/7 access, allowing everyone to get out quickly.
Talk with one of our experts
Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.
We're here to answer any questions you may have.