Service Organization Controls (SOC) Reports
With more and more high-profile cases in the news, there is a heightened awareness of the need for strong internal controls. Many companies outsource tasks or entire functions to service organizations. Even though these functions are outsourced, it's the company's responsibility to ensure effective controls are in place. Even small outsourcing providers are beginning to receive requests for a third-party review of their internal control policies and procedures. If you are a service organization, a SOC report can be a seal of approval that you have effective controls over your clients' information.
Who needs a SOC?
Companies that typically need a SOC report include organizations that perform outsourced services on behalf of their customers. Examples are payroll processors, Software as a Service (SaaS) providers, network administrators, managed security providers, co-location data centers, cloud-computing providers, financial services processors, customer support call centers, accounts receivable processors, credit recovery managers, trust departments, transfer agents, custodians, mortgage servicers, ISP and web-hosting service providers, ASPs and many more.
Like a financial statement audit, a SOC report can only be issued by a certified public accountant. The engagement includes a review of the company's policies, procedures and controls that relate to the outsourced functions provided by clients to their customers.
Having a third- party assurance of your company's control policies and procedures sends a message to customers and prospects that they can rely on your company to handle information accurately and securely. Learn more from the American Institute of Certified Public Accountants.
Service Organization Control Reports
SOC 1 Report (SSAE 16) Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting. This is used only by auditors of user organizations and management of user entities. SSAE 16 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended.
SOC 2 Report: Report on Controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Its use is generally restricted to certain identified users who, among other things, have some knowledge of the nature of services that the service organization provides. This report can offer greater assurance to customers and stakeholders about internal controls in areas that are not meant to be covered by a SAS 70 report.
SOC 3 Report: Trust Services Report for Services Organizations They address the same subject as a SOC 2 report, but in a shortened version (about one page) that can be used in a service organization's promotional efforts and on its website. They can serve as a marketing tool showing potential clients and customers that the organization has controls in place to mitigate risks on the nonfinancial matters.
For more information about our Service Organization Controls (SOC) Services, contact Linda Gabor CPA, CFE at 315.701.6346 or email@example.com or Michael G. Lisson, CPA at 315.701.6430 or firstname.lastname@example.org
Grossman St. Amour CPAs PLLC is located in Syracuse, New York. The Firm provides businesses and individuals with professional services in the areas of accounting, audit, taxation, business planning and valuation, financial planning and investment consulting, and fraud prevention and deterrence. For more information about how we can be of service to you, please visit www.gsacpas.com or contact email@example.com or call 315.424.1120.
Grossman St. Amour CPAs is an independent member of PrimeGlobal, one of the largest associationsindependent accounting firms in the world. PrimeGlobal is comprised of over 350 highly successful independent public accounting firms in 90 countries. Formed from a merger in 2011, PrimeGlobal provides its independent member firms with the tools and resources to help them furnish superior accounting, auditing, tax and management services to clients around the globe. Through PrimeGlobal, independent member firms offer the strength and capabilities of a large, worldwide organization with technical depth and geographic reach impossible for a local firm alone. For more information about PrimeGlobal, please visit www.primeglobal.net.