Service Organization Control (SOC) Reports | Boston | Newport | Providence

CBIZ Inc. | Mayer Hoffman McCann P.C. | Staff Access


About Us	Services	Industries	News & Events	Careers	Contact Us	Locations	Blog

Service Organization Control (SOC) Reports

Helping Service Organizations Effectively Safeguard Sensitive Data and Manage Risk

Ensuring the Soundness of a Service Organization’s Controls

CBIZ Tofias and Mayer Hoffman McCann Private Company Whitepaper

In today’s global economy and technology-reliant culture, it is imperative for service organizations to prove they have adequate controls in place to effectively safeguard sensitive data and manage risk. Service Organization Control (SOC) Reports demonstrate that a service organization has been through an in-depth audit of its control objectives and control activities. While it used to be common just for large companies to have such a review performed, today service organizations large and small are performing these reviews in an effort to stay competitive in their marketplace by demonstrating they have effectively designed internal controls and business processes in place to protect customer data.

The Transition from SAS 70 to SSAE 16

The SAS 70 of yesterday refers to Statement on Auditing Standards (SAS) 70 which was developed by the AICPA in 1993 to provide guidance on the evaluation of control policies and procedures of a service organization. As of June 15, 2011, the auditing standard governing these types of examinations and reports was changed from SAS 70 to Statement of Standards for Attestation Engagements (SSAE) No 16 “Reporting on Controls at a Service Organization.”

The reason for the change is that SAS(s) are specifically designed to guide financial statement audits and reporting, and SSAEs are designed to guide examinations of other subject matter, such as internal controls.

SOC Reporting Options

Our dedicated SOC Practice team provides top-quality SSAE 16 reviews and readiness services, and includes individuals who are accredited Certified Public Accountants (CPA), Certified Information System Auditors (CISA) and Certified Information Systems Security Professionals (CISSP). We offer the following SOC reports:

SOC 1 - Reporting on Controls at a Service Organization for a point in time or operating period (replacements of SAS 70 Type I and II reports)
SOC 2 - Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy for a point in time or operating period
SOC 3 - Reporting under Trust Services Principles and Criteria Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy for a point in time or operating period
Agreed Upon Procedures Report – Performance of specific procedures and related results with no assurance opinion
Readiness - Pre-examination evaluation and consultation advice to assist clients in achieving a successful examination and report, and improving operations and controls

SOC 1, SOC 2 and Agreed Upon Procedures are restricted use reports intended for an organization’s current customers and their auditors. SOC 3 is an unrestricted report and can be distributed to anyone, including prospective customers, and with the option of posting on an organization’s website through the WebTrust / SysTrust seal program.

For a comparative analysis of SOC 1, SOC 2, and SOC 3 reports, click on SOC Reports Comparison.

Formerly known as SAS 70 audits

*Audit and other attest services provided by Mayer Hoffman McCann P.C. - Tofias New England Division, an independent CPA firm.

PRINT VERSION

Accounting and Auditing

Financial Statement Audits and Reviews

Employee Benefit Plan Audits

Internal Audit

Project Management

Royalty & Licensing Audits

SOC Reports (formerly SAS 70)

Coaching & Retreat Services

Construction Cost Reviews

Family Office Services

Forensic, Litigation and Valuation Services

Public Company Services

Retirement Plan Services

Tax Services

Connect with Us: