In an effort to address the evolving needs of the marketplace and help senior management and their auditors at a user entity to understand the risks associated with outsourcing to a service organization, the AICPA (American Institute of Certified Public Accountants) recently established three Service Organization Control (SOC) reporting options — SOC 1, SOC 2 and SOC 3 reports. These reporting options are aimed at cloud computing providers, SaaS providers, sales force automation, Internet retailers, health care claims processors and other information system service organizations who were increasingly being asked by their customers to provide assurance that they had effective controls for the data they were handling.
The AICPA’s new approach to reporting on a service organization’s controls offers several great options for more appropriately meeting the assurance needs of a service organization’s customers and/or customer’s auditors. Through the use of one or more SOC reports, service organizations can now more effectively satisfy the marketplace’s need for assurances by providing greater clarity and transparency to customers (and/or customers’ auditors) on both its financial reporting controls as well as its controls relevant to its IT system attributes such as security, availability, processing integrity, confidentiality and privacy.
Benefits of a SOC Report
- Provides independent verification of effectively designed control objectives and control activities
- Satisfies customer audit requirements, Sarbanes Oxley 404 requirements and other regulatory requirements
- Addresses customer concerns about security, availability, processing integrity, confidentiality and/or privacy
- Satisfies contractual requirements
- Demonstrates a committed investment in mitigating customers’ exposure to risk
- Contributes to a service organization’s overall professional image and serves to build trust with customers
- Provides a competitive advantage in a crowded market of service providers
MFA’s SOC Reporting Solutions
Whether transitioning from SAS 70 to SSAE 16 and SOC reports or considering a SOC report for the first time, the MFA team of professionals can guide you through the process. Not only do we provide SOC 1, SOC 2 and SOC 3 examination and reporting services but we also offer SOC audit preparation advisory services designed to prepare companies for an upcoming examination.
There are several SOC reporting options available and MFA can assist you in determining which SOC report makes the most sense for your organization and your stakeholders (senior management, customers, prospects and business partners).