Organizations continue to face pressure from regulators and customers to demonstrate that adequate controls are in place with respect to the processing of transactions and safeguarding of data. Government regulations, including Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404), Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) stress the need for effective internal controls. In response to these and other pressures, organizations have enacted strict compliance standards and implemented controls with respect to customer data that resides within their organizations and the processing of client transactions. Further, standard contracts typically require organizations to attest to the effectiveness of their internal controls. Obtaining a SOC report (formerly SSAE 16, SAS 70 report) has become increasingly relevant for organizations of all sizes.
System and Organization Controls (SOC) reports (formerly Service Organization Control reports) are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations.
SOC engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which is effective for reports dated on or after May 1, 2017. SSAE 18 superseded SSAE 16 and is the accounting profession's authoritative guidance for attestation engagements, including SOC reports. SSAE No. 18 does not significantly change the fundamentals of SOC engagements. Instead, it significantly restructures the attestation standards into the following:
The standard also complements AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization.
Examples of organizations that may need a SOC report include:
Receiving a clean (unqualified) SOC opinion demonstrates to clients that an organization has effective internal controls and related safeguards in place. In addition, the examination may uncover process and control efficiency opportunities. SOC reports provide valuable information that users need to assess and address risks associated with an outsourced service. The reports are designed to help organizations build trust and confidence in their processes and controls through an examination by an independent certified public accountant. In today's marketplace, an organization's ability to furnish a SOC report has rapidly become requisite.
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations.
Stay-at-home orders in effect across the country have forced a large portion of the American work force to work from home. Businesses transitioning their ...
This article was updated on May 1, 2020. Updates to this article will be made as new information becomes available. Schneider Downs continues to track ...
One PPG Place, Suite 1700
Pittsburgh, PA 15222
65 East State Street, Suite 2000
Columbus, OH 43215
1660 International Drive, Suite 600
McLean, VA 22102