Service Organization Control Audits

More and more companies are outsourcing business functions to service organizations. Outsourced payroll, data centers, software-as-a-service, healthcare services, and other services can reduce cost, simplify operations, and allow organizations to focus on the core business. With those benefits, however, comes risk. The internal workings of these organizations is a “black box”, and as a result, service organizations are being asked to provide assurances to their customers that their controls over financial reporting, IT security, availability, processing integrity, confidentiality, or privacy are adequate. Service Organization Control (SOC) audits reports can meet these demands, be an effective marketing tool to differentiate your service organization from competitors, attract new clients, and strengthen existing client relationships. All SOC audits are performed under SSAE 18.

SOC 1 reports (formerly known as SSAE 16 and SAS 70 reports) provide assurances that your clients can rely on the financial data produced by your systems and processes, thereby supporting their financial reporting. The audits usually cover Information Security, IT Change Control, IT Operations, and Business Processes that are relevant to the outsourced process.

SOC 2 and SOC 3 reports are for both you and your customer’s compliance needs, marketing purposes, and management’s piece of mind. The audits can cover Security, Availability, Processing Integrity, Confidentiality, or Privacy. The audits can also be tailored to cover compliance requirements such as Graham Leach Bliley Act, HIPAA, PCI, Privacy, Cloud Security Alliance Controls, ISO frameworks, and more.

Last, SOC for Cybersecurity reports provide assurances to your clients and management that your organizational cybersecurity objectives are being met. This examination can be customized to use any cybersecurity framework, such as the AICPA’s own Trust Services Criteria, NIST 800-53, NIST’s Cybersecurity Framework, Center for Internet Security’s Critical Security Controls for Effective Cyber Defense, ISO 27000/27001 or others. The choice of framework is frequently driven by the service organization’s industry or client demands.


Three levels of SOC Audit Services

Readiness Assessment

A Readiness Assessment is designed to assess a service organization’s preparedness for a Type II audit. We identify existing internal controls and additional controls that should be implemented or improved prior to an audit being performed. Additionally, we review any artifacts that the organization produces to demonstrate the controls are functioning, and we make a preliminary determination as to its suitability as audit evidence.

Type I Audit

A Type I audit reports on management’s description of a service organization’s system of internal controls and the suitability of the design of controls. It does not generally involve sample testing to demonstrate controls functioned effectively over a period of time. A Type I report is generally used if:

  • The service organization needs a report in a short period of time (e.g., to fulfill an RFP requirement)
  • It is the service organization’s first time going through the audit process
  • The service organization’s customers do not require an audit and therefore is using for marketing purposes

Type II Audit

A Type II audit provides the same assurances in a Type I audit, but also includes assurance over the operating effectiveness of internal controls. Unlike the Type I, the Type II provides assurances that internal controls operated effectively over a period of time, typically no longer than a year. The Type II audit is preferred by most service organizations because it generally satisfies its user organization auditor’s requirements.