The Service Organization Controls (SOC) reporting framework and Statement on Standards for Attestation Engagements (SSAE) No. 16 are critical topics for service organizations. UHY LLP has deep industry knowledge and extensive experience in providing SOC reporting and related services for SOC 1 (SSAE 16), SOC 2, and SOC 3 reports. We will work with you to gain a thorough understanding of your business operations and related risks by providing a comprehensive and in-depth assessment of your organization’s control environment.
Our experience in providing SOC reporting extends to a wide range of industries and service organization types including: Cloud Computing providers (SaaS, PaaS, IaaS), Managed Hosting and data centers, medical, dental, and pharmacy third-party administrators (TPAs) in a variety of industry verticals and specialties.
People are our most important resource. We have a wealth of exceptional people to serve our clients. Our SOC partners have an average of 25 years of experience in their specialties and are regular contributors and speakers at national and regional security and audit conferences. Our practitioners hold professional designations such as certified public accountant (CPA), certified information systems auditor (CISA), certified information systems security professional (CISSP), certified information security manager (CISM), certified internal auditor (CIA) and certified in the governance of enterprise IT (CGEIT).
We understand that spending money on third party attestation is not something your organization wants to do. Our goal is to help you evaluate the reporting options and provide you and your customers with the right report or set of reports to meet their needs. We strive to complete the reporting process in the most effective and efficient manner possible to minimize the cost to and effect on your organization.
Our methodology has evolved in recent years as more and more organizations struggle with increased customer demands for more and different types of attestation reports. Many of our customers face multiple reporting requirements such as SOC 1 (SSAE 16), SOC 2, HIPAA, PCI-DSS, in addition to international and federal reporting such as ISO, Fedramp, NIST, BITS, and others (also see Internal Audit, Risk & Compliance).
Our methodology for performing compliance work is based on a concept we call “compliance convergence.” Because many compliance frameworks focus on common attributes, such as information privacy and security, data integrity, and training; tremendous synergy may be achieved. Our approach begins with a normalization of the requirements of the myriad framework requirements. Next, we develop an audit plan that leverages this synergy to minimize the time required for sample selection, testing, and analysis.
Our first step in any attestation engagement is to understand the types of reports that you need to satisfy customer demand and contractual requirements. Because many control elements are similar between various types of attestation reporting, we map your controls to a master controls matrix and take advantage of the related synergies among the various reporting and controls frameworks. By ensuring that each control is tested only once, we can greatly reduce audit fees and reduce the time your internal personnel spend responding to information requests.
Service Organization Control (SOC) Reports
When trying to determine the type of SOC report that will best addresses your company and your customer’s needs, it is important to understand the underlying objective and purpose for each type of report.
SOC 1 (SSAE 16) Attestation Reports
SOC 1 reports evaluate a service organization’s internal controls that affect the financial reporting of companies using their services and communicate the results of this evaluation. Your business partners are often required by the Sarbanes-Oxley (SOX) Act of 2002, and other regulations, to assess the internal controls at your organization that affect their financial reporting. SOC 1 (SSAE 16) reports are intended to provide your business partners with this assessment. The critical factor in determining if a SOC 1 SSAE 16 report is appropriate is whether your company initiates, processes, or records transactions that ultimately impact your customer’s financial statements. If the services you provide for your customers do not impact your customer’s financial statements, then a SOC 2 or SOC 3 report is probably more appropriate. The AICPA issued Statement on Standards for Attestation Engagements 16 (SSAE 16), “Reporting on Controls at a Service Organization,” as a replacement for the former Statement on Auditing Standards 70 (SAS 70) in June 2011. Professionals engaged to perform SOC 1 engagements apply the auditing standards found in SSAE 16. For this reason, they are often referred to as SSAE 16 reports.
SOC 2 and SOC 3 Attestation Reports
SOC 2 and SOC 3 reports evaluate a service organization’s internal controls that affect the operations of companies using their services and communicate the results of this evaluation. SOC 2 and SOC 3 reports use the Trust Services Principles and Criteria as a framework for understanding operational risks facing the company and for determining the internal controls related to Security, Availability, Processing Integrity, Confidentiality, or Privacy that address those risks. Companies may select one, several, or all of the five Principles to be reported on. Standards for performing SOC 2 and SOC 3 reports are outlined in AICPA standard AT Section 101.
SOC Readiness Assessments
Our methodology for providing Service Organization Controls (SOC) attestation services for clients that have not been through the examination process before usually begins with a Readiness Assessment. The Readiness Assessment is the best way for us to obtain a full understanding of the services provided within the scope of the report and your control environment.
Our professionals will apply their knowledge of your business to assess your readiness to undergo a SOC 1, SOC 2, and/or SOC 3 attestation. We will meet with key personnel to gain a thorough understanding of current controls and identify potential gaps or areas of weakness that may need to be addressed before the attestation.
- Scope: Determine the significance of your business’ controls to user organizations’ internal control environments and identify the business processes and controls that will be covered in the SOC 1, SOC 2, and/or SOC 3 attestation.
- Project Planning: Develop a timeline and scope for the work to be completed.
- Controls Evaluation
- Determine relevant operational and IT controls
- Perform walkthroughs to evaluate appropriateness of control design
- Identify and communicate control design deficiencies to management
- Recommend required controls and guidelines to management
- Allow time for management to remediate deficiencies prior to initiation of the SOC 1, SOC 2, and/or SOC 3 attestation period
- Assist in developing the description of your organization’s system, including a description of internal controls