Service Organization Controls

Service Organization Controls (SOC) Engagements (Previously SAS 70) & Agreed Upon Procedures

Service Organization ControlsThe American Institute of Certified Public Accountants (AICPA) has issued new standards for auditing service organizations (SSAE 16).  Under SSAE 16, service organizations will now issue their Service Auditor Reports in the form of a SOC Report.  These new standards replace what was previously referred to as a SAS 70 audit. Our SSAE 16 engagements provide the necessary analysis of the service provider and their ability to keep confidential data protected, whether you need a SOC Report to satisfy an existing customer’s financial reporting requirement or to provide assurance to clients about the protection and proper maintenance of customer data.

SSAE 16 provides for three different SOC reporting options:

  • SOC 1:   Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
  • SOC 2:   Reports on Controls at a Service Organization Relevant to Security Availability, Processing, Integrity, Confidentiality, and Privacy.
  • SOC 3:   Trust Services Report for Service Organization.

Which SOC report is right for you? Click here.

Once you have determined the appropriate SOC report, which type of SOC report is right for you?

  • Type 1:  A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2:  A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

What are the benefits of a SOC Report?

Organizations that perform outsourced services for other companies can benefit from obtaining a SOC report, and include financial transaction processors, payroll processors, data centers, software vendors, third-party administrators, human resources and benefits processors, and application service providers.

Benefits include:

  • Increased confidence in your internal control environment.
  • Assist customer’s financial statement auditor in determining the reliance to
    be placed on controls in place at the service provider.
  • Eliminate the need for customers to perform onsite audits.
  • Satisfy customer’s requirements of an audit of their service provider’s internal controls.
  • Indicates to potential customers a commitment to internal controls and transaction processing integrity.