If you’re a service provider that processes your customers’ data or hosts their systems, an independent third-party attestation report is more than a requirement of doing business; it’s a vital opportunity to:
- Build trust with customers and potential customers
- Gain competitive advantage
- Streamline business processes
- Mitigate risks to achieving key business objectives
- Satisfy contract requirements
- Address customer audit requirements
- Comply with regulatory requirements
Show customers they can
rely on you.
Developed by the AICPA, Service Organization Control (SOC) reports (formerly SAS 70) attesting to effective internal controls show customers you keep their data and systems secure and available. These reports also show customers that you process their transactions with integrity.
Only Certified Public Accountants in good standing can deliver SOC reports, and that’s where we come in. Not only is Perkins an independent third party with extensive SOC reporting expertise, we are a CPA firm licensed with the American Institute of Certified Public Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB).
Sizing up your SOC needs
The good news: Attestation rules and related reports are evolving to address new business and technology trends related to internal controls (e.g., cloud computing, outsourcing, heightened privacy and confidentiality requirements, etc.).
Even better news: We can help you identify and produce the SOC report that fits your needs. Consider issuing or requesting a SOC report if you provide or receive services for:
Enterprise IT outsourcing services
Financial services customer accounting
Health care claims, management, & processing
Sales force automation
SOC 1 Report
The SOC 1 Report provides the auditor of a user entity’s financial statements with information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A Type 2 SOC 1 Report includes a detailed description of tests of controls performed by the CPA plus results of these tests.
The SOC 1 report is based on the Statement of Standards for Attestation Engagements (SSAE 16). Our methodology and tools follow the standard AICPA Guide—Reporting on Controls at a Service Organization.
SOC 1 BASICS
Our SOC 1 engagement scope and approach includes:
Determining if management’s description of the system is fairly presented
Evaluating whether the controls have been implemented through:
- Discussions with management and specified personnel
- Reviews of policy and procedure manuals and other system documentation
- Walk-throughs to observe procedures and controls
Determining if the controls meet their stated objective
Testing the controls by collecting and reviewing documentation to test the consistent operation of controls over the period under review
Obtaining written representation and consideration of management’s assertion
Assembling a draft report for management review
Issuing the final report
SOC 2 Report
The SOC 2 Report provides management of a service organization, user entities, and others (a) information about controls at a service organization relevant to the security, availability, or processing integrity of the service organization’s system, or (b) the confidentiality and privacy of the data processed by that system.
A Type 2 SOC 2 Report includes a detailed description of tests of controls performed by the CPA and results of the tests.
SOC 2 BASICS
Our SOC 2 engagement scope includes assessing and reporting on one or more of the following principles and related criteria:
- Security: the system is protected against unauthorized access (both physical and logistical)
- Availability: the system is available for operation and use as committed and agreed
- Process integrity: system processing is complete, accurate, timely, and authorized
- Confidentiality: information designated as confidential is protected as committed and agreed
- Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA
PRINCIPLES & RELATED CRITERIA
- Policies: the entity has defined and documented its policies relevant to the particular principle
- Communications: the entity has communicated its defined policies to responsible parties and authorized users of the system
- Procedures: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies
- Monitoring: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies
TRUST SERVICES PRINCIPLES & CRITERIA OF PRIVACY
- Policies and communications: Privacy policies are written statements that convey management’s intent, objectives, requirements, responsibilities, and standards concerning privacy. Communications refers to the organization’s communication to individuals, internal personnel, and third parties about its privacy notice and its commitments therein and other relevant information.
- Procedures and controls: The other actions the organization takes to achieve the criteria.
SOC 3 Report
Like SOC 2, SOC 3 provides assurance regarding controls that affect the security, availability, processing integrity, confidentiality, and privacy of a service organization’s internal controls—but it’s more digestible for a general audience, with no description of tests of controls and results.
SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal and is intended to be used for marketing purposes.
Don't take our word for it
“Peter Kwong and Brigette Sutherland are the best. I rely on them to get me the proper guidance to move the business forward. Changing to Perkins was one of my best decisions in the last 5-years.”
Crawford Holding Company Inc.
“I love my audit and tax teams at Perkins & Co. They are very knowledgeable, easy to work with and excellent business partners.”