What is a SOC Report and Who Needs One?

What are SOC reports?

System and Organization Controls (SOC) reports, formerly Service Organization Control reports, are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations. These engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which is a professional standard promulgated by the American Institute of Certified Public Accountants (AICPA).

Who needs a SOC report?

A SOC report is often requested by organizations (user entities) that receive significant services from a service organization and the user entities’ auditors (user auditors). Reasons why organizations or their auditors might request to review a SOC report include:

• Organizations need assurance regarding effective internal control as it relates to SOX, applicable trust services principles and/or categories, HIPAA, PCI, HITRUST and/or other laws, regulations or frameworks.
• User entities (and prospective users) need transparency regarding a system providing services, and assurance that relevant inherent risks are effectively mitigated (i.e., vendor risk management).
• Other organizations may need to provide their users with useful information about their cybersecurity risk management program in order for their users to make informed decisions.

About Schneider Downs
SOC Services 

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or view more SOC FAQ's at www.schneiderdowns.com/soc-report-faq.