If you’re a service provider that processes your customers’ data or hosts their systems, an independent third-party attestation report is more than a requirement of doing business; it’s a vital opportunity to:
- Build trust with customers and potential customers
- Gain competitive advantage
- Streamline business processes
- Mitigate risks to achieving key business objectives
- Satisfy contract requirements
- Address customer audit requirements
- Comply with regulatory requirements
Developed by the AICPA, Service Organization Control (SOC) reports (formerly SAS 70) attesting to effective internal controls show customers they can rely on you to keep their data and systems secure and available. These reports also show customers that you process their transactions with integrity.
Only Certified Public Accountants in good standing can deliver SOC reports, and that’s where we come in. Not only is Perkins an independent third party with extensive SOC reporting expertise, we are a CPA firm licensed with the American Institute of Certified Public Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB).
Sizing up your SOC needs
The good news: attestation rules and related reports are evolving to address new business and technology trends related to internal controls (e.g., cloud computing, outsourcing, heightened privacy and confidentiality requirements, etc.). Even better news: we can help you identify and produce the SOC report that fits your needs. Consider issuing or requesting a SOC Report if you provide or receive services for:
- Cloud computing
- Customer support
- Enterprise IT outsourcing services
- Event planning
- Financial services customer accounting
- Health care claims, management and processing
- Managed security
- Sales force automation
SOC 1 Report
The SOC 1 Report provides the auditor of a user entity’s financial statements with information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A Type 2 SOC 1 Report includes a detailed description of tests of controls performed by the CPA plus results of these tests.
The SOC 1 report is based on the Statement of Standards for Attestation Engagements (SSAE 16). Our methodology and tools follow the standard AICPA Guide—Reporting on Controls at a Service Organization.
Our SOC 1 engagement scope and approach includes:
1)Determining if management’s description of the system is fairly presented
2) Evaluating whether the controls have been implemented through:
Discussions with management and specified personnel
Reviews of policy and procedure manuals and other system documentation
Walkthroughs to observe procedures and controls
3) Determining if the controls meet their stated objective
4) Testing the controls by colllecting and reviewing documentation to test the consistent operation of controls over the period under review
5) Obtaining written representation and consideration of management’s assertion
6) Assembling a draft report for management review
7) Issuing the final report
SOC 2 Report
The SOC 2 Report provides management of a service organization, user entities and others a) information about controls at a service organization relevant to the security, availability or processing integrity of the service organization’s system, or b) the confidentiality and privacy of the data processed by that system. A Type 2 SOC 2 Reportincludes a detailed description of tests of controls performed by the CPA and results of the tests.
The SOC 2 report is based on Attest Engagements Section 101 (AT 101). Our methodology and tools follow the AICPA Audit and Accounting Guides—Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity Confidentiality, or Privacy (SOC 2).
Our SOC 2 engagement scope includes assessing and reporting on one or more of the following principles and related criteria:
- Security: the system is protected against unauthorized access (both physical and logistical)
- Availability: the system is available for operation and use as committed and agreed
- Process integrity: system processing is complete, accurate, timely, and authorized
- Confidentiality: information designated as confidential is protected as committed and agreed
- Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA
The principles and related criteria (except for privacy) are organized into four areas:
- Policies: the entity has defined and documented its policies relevant to the particular principle
- Communications: the entity has communicated its defined policies to responsible parties and authorized users of the system
- Procedures: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies
- Monitoring: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies
The trust services principles and criteria of privacy are organized into two broad areas:
- Policies and communications: Privacy policies are written statements that convey management’s intent, objectives, requirements, responsibilities, and standards concerning privacy. Communications refers to the organization’s communication to individuals, internal personnel, and third parties about its privacy notice and its commitments therein and other relevant information.
- Procedures and controls: The other actions the organization takes to achieve the criteria.
SOC 3 Reports
Like SOC 2, SOC 3 provides assurance regarding controls that affect the security, availability, processing integrity, confidentiality and privacy of a service organization’s internal controls—but it’s more digestible for a general audience, with no description of tests of controls and results. SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal and is intended to be used for marketing purposes.