mahoning valley historical society

 

old computer


IT Links

 

back


Services: Information Technology Services

gold separator

SOC 1 (SSAE16)

SOC Reports Information for Service Organizations
Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and services to other companies, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.

There are three types of reports to support service organizations:

SOC 1 Report – (SSAE 16)
These reports are specifically intended to meet the needs of companies that use service providers and the customer’s financial auditors.  Using this report it is possible to evaluate the effect of the controls at the service organization on the customers’ financial statements. User auditors use these reports to plan and perform audits of the customers’ financial statements.   There are two types of reports for these engagements:

  • Type 2 -  report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Use of these reports is restricted to the management of the service organization, user entities, and user auditors. 

SOC 2 Report

These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the service provider.  Examples of stakeholders who may need these reports are, vendor management, Security Managers, Privacy Officers, regulators, and others who have an understanding of the service organization and its controls.  These reports can play an important role in:

    • Oversight of the organization
    • Vendor management programs
    • Internal corporate governance and risk management processes
    • Regulatory oversight

Similar to a SOC 1 report there are two types of report : A type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and  a type 1, report on management’s description of a service organization’s system and the suitability of the design of controls.  Use of these reports is generally restricted.   

SOC 3 Report

These reports are intended primarily as marketing tools.  They are designed to meet the needs of users who need assurance about the controls at a service provider but who do not need the details of an SOC 1 or SOC 2 Report. 
Unlike a SOC 1 and SOC 2 reports, which are considered restricted use reports, SOC 3 Reports will enable the service provider organization to share a general use report that would be relevant to current and prospective customers as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.  

 


HOW TO IDENTIFY THE SOC REPORT THAT IS RIGHT FOR YOU 

Will the report be used by your customers to plan and perform an audit of your customer’s financial statements? 

 

Yes

 

SOC 1 Report

Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley?

 

Yes

 

SOC 1 Report

Will the report be used by your customers to gain confidence and place trust in a service organization’s systems? 

 

Yes

 

SOC 1, SOC 2 and 3 Report

Do you need to make the report generally available or seal? 

Yes

SOC 3 Report

Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

 

Yes

 

SOC 2 Report

 

No

 

SOC 3 Report

 


» top

deco scroll

Please contact Jeff Sheets for more information: jsheets@packerthomas.com

tax Notebook, CPAmerica, Fileshare
© Copyright 2014 Packer Thomas Certified Public Accountants & Business Consultants. All Rights Reserved. File Share TaxNotebook CPAmerica