System and Organization Control (SOC) Reports (formerly Service Organization Control Reports)

PRIMARY CONTACT: Eric Wright CPA, CITP (Pittsburgh)

System and Organization Controls (SOC) Reports

Organizations continue to face pressure from regulators and customers to demonstrate that adequate controls are in place with respect to the processing of transactions and safeguarding of data. Government regulations, including Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404), Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) stress the need for effective internal controls. In response to these and other pressures, organizations have enacted strict compliance standards and implemented controls with respect to customer data that resides within their organizations and the processing of client transactions. Further, standard contracts typically require organizations to attest to the effectiveness of their internal controls. Obtaining a SOC report (formerly SSAE 16, SAS 70 report) has become increasingly relevant for organizations of all sizes.

SOC Reports

System and Organization Controls (SOC) reports (formerly Service Organization Control reports) are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations.

SOC engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which is effective for reports dated on or after May 1, 2017. SSAE 18 superseded SSAE 16 and is the accounting profession’s authoritative guidance for attestation engagements, including SOC reports. SSAE No. 18 does not significantly change the fundamentals of SOC engagements. Instead, it significantly restructures the attestation standards into the following:

  • AT-C 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (SOC 1)
  • AT-C 105, Concepts Common to All Attestation Engagements (all)
  • AT-C 205, Examination Engagements (SOC 2, SOC 3, etc.)

The standard also complements AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization.

Examples of organizations that may need a SOC report include:

  • Application service providers
  • Bank trust departments
  • Claims processing centers
  • Data centers or other data processing service bureaus
  • Investment management firms
  • Payroll and billing service providers
  • Mortgage services companies
  • Facilities management providers
  • Managed service providers
  • Inventory management service companies
  • Transportation and logistics companies
  • Cloud computing/SaaS providers

Receiving a clean (unqualified) SOC opinion demonstrates to clients that an organization has effective internal controls and related safeguards in place. In addition, the examination may uncover process and control efficiency opportunities. SOC reports provide valuable information that users need to assess and address risks associated with an outsourced service. The reports are designed to help organizations build trust and confidence in their processes and controls through an examination by an independent certified public accountant. In today’s marketplace, an organization’s ability to furnish a SOC report has rapidly become requisite.

Types of SOC Reports:

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations.