Home Company Services News Digest Contact


Service Organization Control (“SOC”)

As defined by AICPA, Service Organizations Control reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. Statement on Auditing Standards (SAS) # 70, that was being used since 1992 for reporting on service organizations has now been replaced by two new standards:

Statement on Standards for Attestation Engagements (SSAE16) for
   reporting on controls for financial statement audits.
Attestation Engagements (Section 101) for reporting on controls related
   to compliance or operations.

According to AICPA, there are three types of SOC organization (SOC1 through SOC3). For clarification of applicable auditing standards for each types of SOC, please refer to the following table:

New Standards & Options

  Service ORG CONTROL 1   (SOC 1)

  Service ORG CONTROL 2   (SOC 2)

  Service ORG CONTROL 3   (SOC 3)

  SSAE 16-Service auditor   guidance

  AT 101, Attestation   Engagement

  AT 101, Attestation   Engagement

  Restricted Use Report
  (Type I or II report)

  Restricted Use Report
  (Type I or II report)

  General Use Report
  (Type I or II report)

  Reports on controls for   F/S audits

  Reports on controls related
  to compliance or operations

  Reports on controls related
  to compliance or operations

Trust Services Principles & Criteria

SOC Readiness & Maintenance Services:
We provide SOC readiness implementation services including annual maintenance and testing of controls. As part of these services, we assist Services Organizations to accomplish the following:

Risk Assessment
Design and implementation of controls to address identified risks
Walkthroughs and Testing of operating effectiveness of controls
   for Type II reports
Assistance in preparation of:
   — Policies and Procedures and process narratives
   — Preparation of description of services being provided including controls
       implemented and results of testing (for Type II) for presentation to
       user organizations