SOC Reports System and Organization Controls

Overview

As the use of third-party service providers has grown exponentially in recent years, so has the demand for System and Organization Controls (SOC) auditor examinations and related reports. Mueller’s SOC team has been performing these examinations since their origination in 2011, which now include SOC 1, SOC 2, SOC 3, and most recently, SOC for Cybersecurity reports. Mueller’s dedicated SOC team includes a group of professionals with over 30 years of combined experience in preparing, reviewing, and relying on hundreds of SOC reports. Our team combines financial statement audit, IT audit, cybersecurity audit and internal controls skills with extensive experience across many industries.

Mueller's SOC Service Values:

Consistency

  • Mueller’s SOC team is close-knit, specialized, and dedicated. This contributes to many gained efficiencies throughout the different engagements
  • Mueller prides itself on providing the same personnel and team structure from start to finish, year after year
  • Because of the close-knit team, the overall audit approach and methodology is also consistently applied year over year

Collaborative Approach & Continuous Improvement

  • Client facing and interaction focused
  • Entity Risk-Based Approach to meet defined SOC objectives/criteria
  • Constant feedback and communication of best practices
  • Recommendations for improvement throughout the engagements
  • Flexibility to meet Client needs and schedules

National Presence With Local Touch

  • Clients across the United States including California, Texas, Louisiana, and North Carolina to name a few
  • Perform SOC audits ranging from managed security service providers and securities trading platforms to payroll and insurance claims processing organizations
  • Onsite presence available during engagements regardless of location
  • Fully remote engagements also available

Proactiveness

  • Mueller performs all scheduling related to planning and final fieldwork of the engagements, on average, 6 months ahead of time
  • At minimum, weekly open item follow ups and updates with clients to ensure timely completion and issuance of SOC reports
  • Interim and final request lists issued, on average, at least 2 months before as of/period end dates

Expertise

  • Niche established within Mueller when service organization attestation reports first started (SAS 70)
  • Members of the niche are highly focused on performance of SOC audits
  • All members of the SOC niche are Certified Public Accountants (CPAs)
  • Management and above are Certified Information Systems Auditors (CISAs)

SOC 1, 2, 3 Defined

SOC 1: Formerly SAS 70, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 18.  This is intended to be an “auditor to auditor” report.

SOC 2: This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers.  This is intended to be a report from company management to customer management (not auditor to auditor).

SOC 3: These examinations are the same as SOC 2 with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.

SOC FOR CYBERSECURITY: Concerns over cybersecurity  are on the rise in many organizations and there is a growing need for businesses to demonstrate that they are effectively controlling this threat. In 2017, AICPA developed a new cybersecurity risk management reporting framework that helps organizations communicate about and CPAs report on cybersecurity risk management programs.

Who We Serve

We see that System and Organization Controls examinations are typically relevant to companies that provide outsourced services such as:

  • Payroll Processing
  • Claim Processing
  • Collections Processing
  • Medical Billing
  • Employee Benefit Plan Administrators
  • AR/AP Processing
  • Data Centers
  • Application Hosting Firms
  • Co-location Center Firms
  • Professional-Law & Accounting Firms
  • Managed Security Service Providers (MSSP)
  • Cloud-based Software-as-a-Service (SaaS) Providers

Our Membership Association

Contact Us For More Information