System and Organization Control (SOC) Reports

Organizations continue to face pressure from regulators and customers to demonstrate that adequate controls are in place with respect to the processing of transactions and safeguarding of data. Government regulations, including Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404), Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) stress the need for effective internal controls. In response to these and other pressures, organizations have enacted strict compliance standards and implemented controls with respect to customer data that resides within their organizations and the processing of client transactions. Further, standard contracts typically require organizations to attest to the effectiveness of their internal controls. Obtaining a SOC report (formerly SSAE 16, SAS 70 report) has become increasingly relevant for organizations of all sizes.

SOC Reports

System and Organization Controls (SOC) reports (formerly Service Organization Control reports) are examinations provided by CPAs in connection with system-level controls of a service organization or entity-level controls at other organizations.

SOC engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, which is effective for reports dated on or after May 1, 2017. SSAE 18 superseded SSAE 16 and is the accounting profession's authoritative guidance for attestation engagements, including SOC reports. SSAE No. 18 does not significantly change the fundamentals of SOC engagements. Instead, it significantly restructures the attestation standards into the following:

  • AT-C 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting (SOC 1)
  • AT-C 105, Concepts Common to All Attestation Engagements (all)
  • AT-C 205, Examination Engagements (SOC 2, SOC 3, etc.)

The standard also complements AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization.

Examples of organizations that may need a SOC report include:

  • Application service providers
  • Bank trust departments
  • Claims processing centers
  • Data centers or other data processing service bureaus
  • Investment management firms
  • Payroll and billing service providers
  • Mortgage services companies
  • Facilities management providers
  • Managed service providers
  • Inventory management service companies
  • Transportation and logistics companies
  • Cloud computing/SaaS providers

Receiving a clean (unqualified) SOC opinion demonstrates to clients that an organization has effective internal controls and related safeguards in place. In addition, the examination may uncover process and control efficiency opportunities. SOC reports provide valuable information that users need to assess and address risks associated with an outsourced service. The reports are designed to help organizations build trust and confidence in their processes and controls through an examination by an independent certified public accountant. In today's marketplace, an organization's ability to furnish a SOC report has rapidly become requisite.

Types of SOC Reports:

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations.

case studies

Ransomware attack halted a global manufacturer's operations.
big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
High tax burden for family-owned franchisor.
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

Have a question? Ask us!

We'd love to hear from you. Drop us a note, and we'll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102