system and organization controls
System and Organization Controls (SOC) Reports
With more and more high-profile cases in the news, there is a heightened awareness of the need for strong internal controls. Many companies outsource tasks or entire functions to service organizations. Even though these functions are outsourced, it’s the company’s responsibility to ensure effective controls are in place. Even small outsourcing providers are beginning to receive requests for a third-party review of their internal control policies and procedures. If you are a service organization, a SOC report can be a seal of approval that you have effective controls over your clients’ information.
Who needs a SOC?
Companies that typically need a SOC report include organizations that perform outsourced services on behalf of their customers. Examples are payroll processors, Software as a Service (SaaS) providers, network administrators, managed security providers, co-location data centers, cloud-computing providers, financial services processors, customer support call centers, accounts receivable processors, credit recovery managers, trust departments, transfer agents, custodians, mortgage servicers, ISP and web-hosting service providers, ASPs and many more.
Like a financial statement audit, a SOC report can only be issued by a certified public accountant. The engagement includes a review of the company’s policies, procedures and controls that relate to the outsourced functions provided by clients to their customers.
Having a third- party assurance of your company’s control policies and procedures sends a message to customers and prospects that they can rely on your company to handle information accurately and securely. Learn more from the American Institute of Certified Public Accountants.
System and Organization Control Reports
SOC 1 Report (SSAE 18) Report on Controls at a Service Organization Relevant to User Entities’Internal Control over Financial Reporting. This is used only by auditors of user organizations and management of user entities. SSAE 18 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended.
SOC 2 Report: Report on Controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Its use is generally restricted to certain identified users who, among other things, have some knowledge of the nature of services that the service organization provides. This report can offer greater assurance to customers and stakeholders about internal controls in areas that are not meant to be covered by a SAS 70 report.
SOC 3 Report: Trust Services Report for Services Organizations. They address the same subject as a SOC 2 report, but in a shortened version (about one page) that can be used in a service organization’s promotional efforts and on its website. They can serve as a marketing tool showing potential clients and customers that the organization has controls in place to mitigate risks on the nonfinancial matters.
For more information about our System and Organization Controls (SOC) Services, contact: