Compliance SOC/SSAE16/SAS70 SOC/SSAE16/SAS70 Overview

SOC/SSAE16/SAS70 Overview

Building Trust and Confidence in Third-Party Relationships

Today's businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their operations. In these scenarios many of the service organization's risks become risks of the user entities. Security has become increasingly more critical in light of ongoing internal-control breakdowns, resulting in privacy breaches and fraud. Similarly compliance has gained attention as government and industry regulations have emerged. These include Sarbanes-Oxley Act, GLBA, Basel II, HITECH and HIPAA, and PCI. To address the need for security and compliance user-entity management has increased due diligence and governance oversight of service organizations. In addition rapid technological changes have heightened the need for service organizations to demonstrate the confidentiality, integrity, and accuracy of systems used to process user entities' data.

Service organizations have responded to these challenges by engaging an independent CPA to examine and report on the service organization's controls. Since the early 1990's the most widely used framework for this has been the Statement on Auditing Standards 70: Service Organizations, more commonly knows a SAS70. In 2010 the AICPA establishing three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).

SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relate to operations and compliance. SOC 1, 2 and 3 reports represent significant changes in service organization reporting approaches when compared to the SAS70.

Why Organizations Complete a Service Organization Control Report

A SOC report demonstrates that the organization went through a very in-depth audit of the different controls, specifically the control objective and control activities. It is important to note that the SOC audit is not a checklist type of audit - it is a more subjective approach. The service auditor follows the AICPA's standards for reporting, but service auditors differ on their approach to a SOC.

How TrustNet Helps

In today´s global economy, IT service organizations and service providers must demonstrate that they have adequate controls and safeguards when they host or process customer´s data. The AICPA´s Service Organization Controls (SOC) reports are widely recognized as "the standard" for assessing internal controls of service provider organizations. Since 2002 the requirements of Section 404 of the Sarbanes-Oxley Act make SOC audit reports even more important to the process of reporting on effective internal controls at service organizations.
TrustNet is a full-service compliance and security firm that specializes in conducting SOC audits including SSAE16. We are a fully licensed and insured AICPA professional services firm. Our services include:

SOC Readiness Assessments

Our SOC Readiness Assessment is designed to assist service organizations in assessing their preparedness for a Type 1 or Type 2 SOC audit.

SOC Reports

Type 1 SOC

In a Type 1 SOC report the service auditor provides independent third-party verification as to whether control activities described by a service organization are appropriately designed to meet specified control objectives and whether the controls were placed in operation as of a particular date.

Type 2 SOC

Type 2 SOC audits provide independent third party verification as to whether control activities described by a service organization are suitably designed to meet specified control objectives, and whether these controls were in place and operating effectively over a period of time, typically between six and twelve months.

Our approach ensures:

  • Your employees understand the context and requirements of a SOC audit
  • Your control processes and procedures are properly documented
  • A comprehensive risk assessment is completed
  • Controls weaknesses are preemptively remediated and recommendations for improvements are identified and communicated
  • Testing is completed with minimal interruption to the organization
  • There are no surprises when your SOC testing is completed
  • 23.jpg
  • 20.jpg
  • middle kingdom.png
  • 1.jpg
  • 22.jpg
  • 26.jpg
  • 19.jpg
  • tengasco.png
  • 2.jpg
  • 32.jpg