written by Joe Page

Joe Page head shot

Have your customers requested assurance that your processes and systems are controlled? 
Do you feel comfortable that the business processes and IT processes you have in place are controlled to prevent/detect unnecessary mistakes, unauthorized transactions, unauthorized modifications to data, and fraudulent activity? A SOC report may be the answer to these questions.

Three types of reports
There are three different types of Service Organization Control Reports (SOC) (formerly SAS 70 Reports) which cover varying levels of the operating effectiveness of a service organization’s controls. A SOC 1 report, reports on controls relevant to the user entities’ internal control over financial reporting. A SOC 1 report is restricted to controls relevant to an audit of a user’s financial statement. A SOC 2 reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 3 is a trust services report for service organizations.

If your company or organization provides a service that may affect your customer’s financial statements, your customers, your customer’s auditors, and your potential future customers want to make sure their financial information is accurate, complete, and recorded properly as well as secure from unauthorized access.

This is where a Service Organization Control Report comes in. Because the SOC report assesses the design and operating effectiveness of a service organization’s controls, the report can be provided to customers as evidence of the effectiveness of your controls.

Who should consider an SOC report?
The following organizations would consider obtaining a SOC Report: payroll service providers, claims processors, benefits administrators, third party administrators, clearinghouses, transfer agents, trust administrators, data centers, application service providers (ASPs), and outsourced IT departments.

Because of the increasing use of the report, however, many organizations are being asked if they have a SOC Report by customers who don’t really understand what the report covers and whether or not it is really relevant to their own financial statements. It’s therefore important to have a least a basic understanding of the uses of the reports so that you can discuss the customer’s request.

The following American Institute of Public Accountants website is an excellent first stop in learning more about SOC reports – click here to read more.