Overview: The new guidance issued by the AICPA effective in June, 2011, along with the growing trend for companies to outsource business functions has resulted in greater demand for auditor examinations and reporting on Service Organization Controls (“SOC”). Mueller's SOC team includes a team of professionals with over 30 years of combined experience in preparing, reviewing, and relying on hundreds of SAS 70 reports (currently called SOC reports). Our team combines financial statement audit, IT audit, and internal controls skills with extensive experience in many industries.
SOC 1, 2, and 3 Defined
SOC 1: Formerly SAS 70, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 16. This is intended to be an “auditor to auditor” report.
SOC 2: This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Principles), depending on what is relevant and important to your customers. This is intended to be a report from company management to customer management (not auditor to auditor).
SOC 3: SOC 3 examinations are the same as SOC 2 with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.
We see that Service Organization Controls examinations are typically relevant to companies that provide outsourced services such as:
|
Payroll Processing |
AR/AP Processing |
|
Claims Processing |
Data Centers |
|
Collections Processing |
Application Hosting |
For a complimentary consultation, please contact:
Mike Becker CPA, CISA // Director - IT Audit // mbecker@muellercpa.com // (312) 445-5883
