Reporting on Controls at a Service Organization

PRIMARY CONTACTS: Eric Wright CPA, CITP (Pittsburgh), Donald Owens CPA, CITP, CIA, CFF, CBA, CFSA, CRMA (Columbus)

In today’s competitive marketplace, service organizations are facing increased pressure from regulators and customers to demonstrate that adequate controls are in place with respect to the processing of transactions and safeguarding of data on behalf of their customers. The requirements of government regulations, including Section 404 of the Sarbanes-Oxley Act of 2002, (Sox 404), Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) stress the need for effective internal controls like never before. In response to these and other pressures, service organizations are enacting strict compliance standards and implementing strong controls with respect to customer data residing within their organizations and the processing of client transactions. With the raising of the bar, standard contracts are requiring service organizations to attest to the effectiveness of their internal control structures. Obtaining a Service Organization Control (SOC) report (formerly SAS 70 report) has become an increasingly relevant option for companies of all sizes.

SOC Reports

A SOC report is often requested by organizations (user entities) that receive significant services from a service organization (organization that provides services critical to the client) and by the client’s auditors (user auditors). Examples of service organizations include:

  • Application service providers
  • Bank trust departments
  • Claims processing centers
  • Data centers or other data processing service bureaus
  • Investment management firms
  • Payroll and billing service providers
  • Real estate title and closing companies

Receiving a clean (unqualified) SOC opinion demonstrates to clients that a service organization has effective internal controls and related safeguards in place. In addition, the examination may uncover process and control efficiency opportunities. SOC reports provide valuable information users need to assess and address the risks associated with an outsourced service. The report is designed to help service organizations build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant. In today’s marketplace, an organization’s ability to furnish its clients with a SOC report is rapidly becoming requisite.

Types of SOC Reports Include:

Schneider Downs employs a unique approach to service organization reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations.