System and Organization Controls (SOC)
Is your organization demonstrating its commitment to maintain effective internal controls and safeguards to protect not only yourself but your customers? Outsourced services users and their auditors are increasingly requesting more information than ever before about the effectiveness of controls at the service organizations they use, or are considering using, for outsourced business functions.
Using the AICPA’s various SOC for Service Organizations offerings, our firm issues assurance reports that provide your users the valuable information they need to assess and address the risks associated with the outsourced services you provide, helping build trust and transparency.
As part of our SOC offering we deploy multidisciplinary teams composed of licensed CPAs and information technology and security specialists to ensure a comprehensive and thorough evaluation of controls related to the services you provide.
What are SOC for Service Organization Reports?
SOC for Service Organizations reports are internal control reports, which independent CPAs issue, on the services a service organization provides. The reports are:
Useful for evaluating the effectiveness of controls related to the services performed by a service organization
Appropriate for understanding how the service organization maintains oversight over third parties that provide services to customers
Useful in helping to reduce compliance burden by providing one report that addresses the shared needs of multiple users
Helpful in obtaining new clients and maintaining current customers
Upon issuance of one of the three SOC for Service Organization reports listed below by a licensed CPA, a Service Organization may use the “Service Organization Controls Report” logo provided by the AICPA on its ‘website to market and promote the completion of the examination.
Understanding the SOC reports and which one your company may need can be confusing. Review the summary below to determine what will meet your needs. If you have additional questions about SOC for Service Organization, please contact us to speak to a knowledgeable resource.
Types of SOC for Service Organization Reports
SOC 1 — SOC for Service Organizations: Internal Control over Financial Reporting (ICFR)
These reports are specifically designed to address controls at the service organization that are relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities, and user auditors.
SOC 2 — SOC for Service Organizations: Trust Services Criteria
These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners, and regulators.
SOC 3 — SOC for Service Organizations: Trust Services Criteria for General Use Report
Like SOC 2, these reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.
SOC for Cybersecurity
SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and allows CPAs to report on such information to meet the cybersecurity information needs of a broad range of stakeholders.