Helping Service Organizations Effectively Safeguard Sensitive Data and Manage Risk
Ensuring the Soundness of a Service Organization’s Controls
In today’s global economy and technology-reliant culture, it is imperative for service organizations to prove they have adequate controls in place to effectively safeguard sensitive data and manage risk. Service Organization Control (SOC) Reports demonstrate that a service organization has been through an in-depth audit of its control objectives and control activities. While it used to be common just for large companies to have such a review performed, today service organizations large and small are performing these reviews in an effort to stay competitive in their marketplace by demonstrating they have effectively designed internal controls and business processes in place to protect customer data.
The Transition from SAS 70 to SSAE 16
The SAS 70 of yesterday refers to Statement on Auditing Standards (SAS) 70 which was developed by the AICPA in 1993 to provide guidance on the evaluation of control policies and procedures of a service organization. As of June 15, 2011, the auditing standard governing these types of examinations and reports was changed from SAS 70 to Statement of Standards for Attestation Engagements (SSAE) No 16 “Reporting on Controls at a Service Organization.”
The reason for the change is that SAS(s) are specifically designed to guide financial statement audits and reporting, and SSAEs are designed to guide examinations of other subject matter, such as internal controls.
SOC Reporting Options
Our dedicated SOC Practice team provides top-quality SSAE 16 reviews and readiness services, and includes individuals who are accredited Certified Public Accountants (CPA), Certified Information System Auditors (CISA) and Certified Information Systems Security Professionals (CISSP). We offer the following SOC reports:
- SOC 1 - Reporting on Controls at a Service Organization for a point in time or operating period (replacements of SAS 70 Type I and II reports)
- SOC 2 - Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy for a point in time or operating period
- SOC 3 - Reporting under Trust Services Principles and Criteria Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy for a point in time or operating period
- Agreed Upon Procedures Report – Performance of specific procedures and related results with no assurance opinion
- Readiness - Pre-examination evaluation and consultation advice to assist clients in achieving a successful examination and report, and improving operations and controls
SOC 1, SOC 2 and Agreed Upon Procedures are restricted use reports intended for an organization’s current customers and their auditors. SOC 3 is an unrestricted report and can be distributed to anyone, including prospective customers, and with the option of posting on an organization’s website through the WebTrust / SysTrust seal program.
For a comparative analysis of SOC 1, SOC 2, and SOC 3 reports, click on SOC Reports Comparison.
Formerly known as SAS 70 audits
*Audit and other attest services provided by Mayer Hoffman McCann P.C. - Tofias New England Division, an independent CPA firm.
Connect with Us: