System and Organization Controls Reporting
SOC 1®, SOC 2®, and SOC 3®
As companies search for an effective approach to outsourcing business processes, cost is not the only key factor to consider. Today, service organizations are under increasing pressure to provide customers with greater transparency on the effectiveness of their internal controls over the collection, processing, transmission, storage, organization, maintenance, and/or disposal of customer data. Depending on the services being delivered and their customers’ needs, service organizations must choose which examination type is relevant to their clients (SOC 1®, SOC 2®, SOC 3®) to minimize inquiries and requests for specific SOC reports from those customers.
One way for a service organization to communicate the strength and reliability of its internal controls is by getting an independent examination of the system used to provide services to its customers. Although not mandatory, the SOC examination report serves as an independent verification of the service organization’s internal controls. Companies from all industries are continuing to expect these critical verification processes in order to maintain a competitive advantage. The benefits of these examinations are realized by the service organizations, as well as the customers receiving their services.
BPM provides the following System and Organization Control (“SOC”) services in accordance with current AICPA Statement on Standards for Attestation Engagements (“SSAE”):
- SOC Readiness Assessments for Service Organizations
- SOC 1®: Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
- SOC 2®: Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (TSP 2017)
- SOC 3®: Examination – General use report (issued in conjunction with a SOC 2 report)
Key question | Response | SOC report type required |
Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? | Yes | SOC 1® Report |
Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? | Yes | SOC 2® or SOC 3® Report |
Do you customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? | Yes | SOC 2® Report |