Service Organization Control (SOC) Audits

More and more companies are outsourcing certain functions to service organizations. With that comes risk. Service organizations are being asked to provide assurances to their customers that their controls over financial reporting, IT security, availability, processing integrity, confidentiality, or privacy are adequate. SOC audit reports can meet these demands, as well as be an effective marketing tool to differentiate your service organization from competitors, attract new clients, and strengthen existing client relationships.

SOC 1/SSAE16 Reports (formerly SAS 70s) are for your customer’s financial reporting purposes. The audits usually cover Information Security, IT Change Control, IT Operations, and Business Processes that are relevant to the outsourced process.

SOC 2 and SOC 3 Reports are for both you and your customer’s compliance needs, marketing purposes, and management’s piece of mind. The audits can cover Security, Availability, Processing Integrity, Confidentiality, or Privacy. The audits can also be tailored to cover compliance requirements such as Graham Leach Bliley Act, HIPAA, PCI, Privacy, Cloud Security Alliance Controls, ISO frameworks, and more.

Keiter can perform SOC 1/SSAE16 audits for the following service organizations:

  • Application Service Providers
  • Claims Administrators
  • Data Centers
  • Third Party Administrators
  • Payroll Providers
  • Trust Departments
  • Web Hosting Providers
  • Bitcoin Custodians/Exchanges
  • and more

Keiter can perform SOC 2 and 3 audits for the following service organizations:

  • Cloud Computing
  • Customer Support
  • Managed Networks and Computing Systems
  • IT Outsourcing
  • Web Hosting Providers
  • Health Care Claims Management
  • and more

Three levels of SOC Audit Services

Readiness Assessment

A Readiness Assessment is designed to assess a service organization’s preparedness for a Type II audit by identifying internal controls that should be implemented or improved prior to an audit being performed.

Type I Audit

A Type I audit reports on management’s description of a service organization’s system and the suitability of design of controls. A Type I report is generally used if 1) the service organization needs a report in a short period of time (e.g., fulfill to an RFP), 2) it is the service organization’s first time going through the audit process, or 3) the service organization’s customers do not require an audit and therefore is using for marketing purposes.

Type II Audit

A Type II audit reports on management’s description of a service organization’s system and the suitability of design and operating effectiveness of controls. A Type II audit is the preferred report for service organizations as it generally satisfies its user organization auditor’s requirements.


Your Opportunity Advisors