System and Organization Controls (SOC) reports, formerly Service Organization Control reports, are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations. These engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which is a professional standard promulgated by the American Institute of Certified Public Accountants (AICPA).
Who needs a SOC report?
A SOC report is often requested by organizations (user entities) that receive significant services from a service organization and the user entities’ auditors (user auditors). Reasons why organizations or their auditors might request to review a SOC report include:
Organizations need assurance regarding effective internal control as it relates to SOX, applicable trust services principles and/or categories, HIPAA, PCI, HITRUST and/or other laws, regulations or frameworks.
User entities (and prospective users) need transparency regarding a system providing services, and assurance that relevant inherent risks are effectively mitigated (i.e., vendor risk management).
Other organizations may need to provide their users with useful information about their cybersecurity risk management program in order for their users to make informed decisions.
About Schneider Downs
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or view more SOC FAQ's at www.schneiderdowns.com/soc-report-faq.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.