The Service Organization Controls (SOC) reporting framework and Statement on Standards for Attestation Engagements (SSAE) No. 16 are critical topics for service organizations. UHY LLP has deep industry knowledge and extensive experience in providing SOC reporting and related services for SOC 1 (SSAE 16), SOC 2, and SOC 3 reports. We will work with you to gain a thorough understanding of your business operations and related risks by providing a comprehensive and in-depth assessment of your organization’s control environment.
Our experience in providing SOC reporting extends to a wide range of industries and service organization types including: Cloud Computing providers (SaaS, PaaS, IaaS), Managed Hosting and data centers, medical, dental, and pharmacy third-party administrators (TPAs) in a variety of industry verticals and specialties.
People are our most important resource. We have a wealth of exceptional people to serve our clients. Our SOC partners have an average of 25 years of experience in their specialties and are regular contributors and speakers at national and regional security and audit conferences. Our practitioners hold professional designations such as certified public accountant (CPA), certified information systems auditor (CISA), certified information systems security professional (CISSP), certified information security manager (CISM), certified internal auditor (CIA) and certified in the governance of enterprise IT (CGEIT).
We understand that spending money on third party attestation is not something your organization wants to do. Our goal is to help you evaluate the reporting options and provide you and your customers with the right report or set of reports to meet their needs. We strive to complete the reporting process in the most effective and efficient manner possible to minimize the cost to and effect on your organization.
Our methodology has evolved in recent years as more and more organizations struggle with increased customer demands for more and different types of attestation reports. Many of our customers face multiple reporting requirements such as SOC 1 (SSAE 16), SOC 2, HIPAA, PCI-DSS, in addition to international and federal reporting such as ISO, Fedramp, NIST, BITS, and others (also see Internal Audit, Risk & Compliance).
Our methodology for performing compliance work is based on a concept we call “compliance convergence.” Because many compliance frameworks focus on common attributes, such as information privacy and security, data integrity, and training; tremendous synergy may be achieved. Our approach begins with a normalization of the requirements of the myriad framework requirements. Next, we develop an audit plan that leverages this synergy to minimize the time required for sample selection, testing, and analysis.
Our first step in any attestation engagement is to understand the types of reports that you need to satisfy customer demand and contractual requirements. Because many control elements are similar between various types of attestation reporting, we map your controls to a master controls matrix and take advantage of the related synergies among the various reporting and controls frameworks. By ensuring that each control is tested only once, we can greatly reduce audit fees and reduce the time your internal personnel spend responding to information requests.
Service Organization Control (SOC) Reports
When trying to determine the type of SOC report that will best addresses your company and your customer’s needs, it is important to understand the underlying objective and purpose for each type of report.
SOC 1 (SSAE 16) Attestation Reports
SOC 1 reports evaluate a service organization’s internal controls that affect the financial reporting of companies using their services and communicate the results of this evaluation. Your business partners are often required by the Sarbanes-Oxley (SOX) Act of 2002, and other regulations, to assess the internal controls at your organization that affect their financial reporting. SOC 1 (SSAE 16) reports are intended to provide your business partners with this assessment. The critical factor in determining if a SOC 1 SSAE 16 report is appropriate is whether your company initiates, processes, or records transactions that ultimately impact your customer’s financial statements. If the services you provide for your customers do not impact your customer’s financial statements, then a SOC 2 or SOC 3 report is probably more appropriate. The AICPA issued Statement on Standards for Attestation Engagements 16 (SSAE 16), “Reporting on Controls at a Service Organization,” as a replacement for the former Statement on Auditing Standards 70 (SAS 70) in June 2011. Professionals engaged to perform SOC 1 engagements apply the auditing standards found in SSAE 16. For this reason, they are often referred to as SSAE 16 reports.
SOC 2 and SOC 3 Attestation Reports
SOC 2 and SOC 3 reports evaluate a service organization’s internal controls that affect the operations of companies using their services and communicate the results of this evaluation. SOC 2 and SOC 3 reports use the Trust Services Principles and Criteria as a framework for understanding operational risks facing the company and for determining the internal controls related to Security, Availability, Processing Integrity, Confidentiality, or Privacy that address those risks. Companies may select one, several, or all of the five Principles to be reported on. Standards for performing SOC 2 and SOC 3 reports are outlined in AICPA standard AT Section 101.
SOC Readiness Assessments
Our methodology for providing Service Organization Controls (SOC) attestation services for clients that have not been through the examination process before usually begins with a Readiness Assessment. The Readiness Assessment is the best way for us to obtain a full understanding of the services provided within the scope of the report and your control environment.
Our professionals will apply their knowledge of your business to assess your readiness to undergo a SOC 1, SOC 2, and/or SOC 3 attestation. We will meet with key personnel to gain a thorough understanding of current controls and identify potential gaps or areas of weakness that may need to be addressed before the attestation.
The Financial Accounting Standards Board (FASB) issued a new Accounting Standard Update in early 2017 (ASU 2017-05) to clarify guidance on Accounting Standard Codification (ASC) Subtopic 610-20 - Gains and Losses from the Derecognition of Nonfinancial Assets. All public entities should apply the amendments in ASU 2017-05 to annual reporting periods beginning after Dec. 15, 2017.
The Financial Accounting Standards Board (FASB) has issued Accounting Standards Update (ASU) 2017-08 to update the amortization period of certain callable debt securities held at a premium, requiring the premium to be amortized to the earliest call date. Entities generally amortize the premiums and discounts on callable debt securities over the contractual life of the instrument under current GAAP.
In 2015, the Financial Accounting Standards Board issued Accounting Standards Update Simplifying the Measurement of Inventory (ASU 2015-11). This standard simplifies the subsequent measurement of inventory by replacing the "lower of cost or market" test with a new "lower of cost and net realizable value test." However, entities that use the LIFO or retail inventory methods, will continue applying their current impairment models.
The Financial Accounting Standards Board (FASB) released Accounting Standards Update (ASU) 2017-01 in order to have more consistent application of accounting principles relating to business and asset acquisitions and disposals. The ASU aims to achieve this by clarifying the definition of a business with the objective of adding guidance to assist entities with evaluating whether transactions should be accounted for as acquisitions (or disposals) of assets or businesses.
With the release of Accounting Standards Update (ASU) 2016-09 by FASB, accounting for employee share-based payments will take a more simplified approach to both accounting and financial reporting. One change noted in the ASU is that any excess tax benefit that used to be recognized as additional paid-in capital is now to be recorded as income tax expense. Any tax deficiencies are now to be reported on the income statement and cannot be used to offset accumulated excess tax benefits.