Share





Pittsburgh, PA, Columbus, OH SAS 70 Audit, SSAE 16, SOC 1, SOC 2
Schneider Downs
Schneider Downs
Bookmark and Share
Reporting on Controls at a Service Organization (formerly SAS 70 Audit)

In today’s competitive marketplace, service organizations are facing increased pressure from regulators and customers to demonstrate adequate controls are in place with respect to the processing and safeguarding of customer data. The requirements of government regulations including Section 404 of the Sarbanes Oxley Act of 2002, (Sox 404), Gramm Leach Bliley Act and Health Insurance Portability and Accountability Act, stress the importance of internal controls like never before. In response to these and other pressures, service organizations are enacting strict compliance standards and implementing strong controls with respect to customer data residing within their organizations. With the raising of the bar, standard contracts are requiring service organizations to attest to the effectiveness of their internal control structures. Obtaining a Service Organization Control (SOC) report (formerly SAS70) has become increasingly relevant to companies of all sizes.

SOC reports provide valuable information users need to assess and address the risks associated with an outsourced service and are designed to help service organizations build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant. Being able to promptly provide this information – certified by an independent third party – has become increasingly more important in a competitive marketplace.

Schneider Downs employs a unique approach to service organization reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations.


Types of Service Organization Reports Provided by Schneider Downs

  • SOC 1 Report - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting - These reports, are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on user entities’ financial statements. Use of these reports is restricted to the management of the service organization, user entities and user auditors.
  • SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy – These reports are intended to meet the broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Use of these reports is generally restricted.
  • SOC 3 Report - Trust Services Report – These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and process integrity of the systems used by a service organization to process users’ information, and the confidentiality or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a Sys Trust for Service Organizations seal.

Similar to SAS70 reports, there are two types of reports available for SOC 1 and SOC 2 engagements:

  • Type 1 – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout the specified period. 

For more information on Schneider Downs’ SAS 70 services, please contact Eric M. Wright or Steven D. Thompson.


Download a copy of "Reports on Service Organizations," recently presented to The Institute of Internal Auditors (The IIA)