Service Organization Controls - SOC 1, SOC 2, SOC 3


Internal Controls International IT Controls Operational Review Pension/401(k)/403(b) Service Organization Controls SOC Readiness Assessment Valuation/Investigational Upcoming Seminars Client Stories Newsletters	Service Organization Controls SOC 1, SOC 2, SOC 3 With more and more high-profile fraud cases in the news, there is a heightened awareness of the need for strong internal controls. Meanwhile, as companies outsource more tasks – from payroll and billing to information technology and human resources – they inherently have less control over important information, especially when outsourced to the cloud in a Software as a Service (SAAS) model. A Service Organization Control (SOC) report provides an objective evaluation of how well that information is protected. If you are a service organization, a SOC report can be a seal of approval that you have effective controls over your clients’ information. (If you aren’t sure your controls measure up, Barnes Dennig’s Readiness Assessment can help.) If you outsource important information to a service organization, a SOC report provides peace of mind that your data is in good hands. The American Institute of Certified Public Accountants has established three SOC reporting options: SOC 1 reports are generally used for the benefit of the outsourcer’s financial statement audit. The engagement is performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, and the report focuses on controls that will be relevant in a financial statement audit. SOC 2 and SOC 3 reports evaluate a service organization’s controls on data, security, availability, processing integrity and confidentiality/privacy. A SOC 2 engagement includes a description of the auditor’s test of controls. It is written for the benefit of the service organization’s client (the user entity). A SOC 3 report is a simplified version of a SOC 2 report, and it is intended for public use; the service organization may distribute the report and display the SOC 3 seal on its marketing materials. At Barnes Dennig, we address each of the following areas in a typical examination: Physical security Internet and infrastructure services Security administration Application security Controls over software changes IT operations Systems and programming General control environment Business continuity planning Looking for SAS 70? Click here for more information. Unsure you are ready for a SOC report? Click here for more information. Why hire a CPA to provide a SOC report? Click here for more information.	Thomas J. Groskopf, CPA, CVA, MBA Director Email 513.241.8313 Robert J. Ramsay, CPA, CISA, CITP Senior Manager Email 513.241.8313