FINRA's BrokerCheck

Svc Org Control (SOC) Readiness

Classifications of Reporting: Service Organization Control (SOC) 1 reporting is based on Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, and verifies a service organization has been through an in-depth audit of the internal control processes including information technology and relevant enterprise-wide controls relating to outsourced services. The focus of a SOC 1 report is on controls at service organizations that are relevant to a user entities’ internal control over financial reporting.

With the implementation of SSAE 16, the AICPA has developed and termed two other reports delivered to service organizations as SOC 2 and SOC 3 reports. These reports verify that a service organization has been through an in-depth audit of the internal control processes related to controls over security, availability, processing integrity, confidentiality, and privacy of non-financial information. The AICPA and Canadian Institute of Chartered Accountants (CICA) developed the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy as a standard for completing SOC 2 and SOC 3 services.

Two types of SOC reports

A SOC 1 Type I report identifies whether the service organizations’ internal controls in place are appropriately designed as of a specified date in time. A SOC 1 Type II report identifies whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months (can be as few as 2 months for SOC 2 & 3), and if the controls are operating with sufficient effectiveness during the same period of time.

What are the benefits of a readiness assessment?

    • Helps ensure service organizations have sufficient internal controls in place to achieve an unqualified opinion from the independent service auditor.
    • Helps service organizations determine if the scope of the SOC audit should be a Type I or Type II report.
    • Helps service organizations determine for a Type I report the effective date the controls were placed in operation and for a Type II report what the reporting period should be.

The Rehmann Approach

Phase I — Project Planning

      • Develop scope of work
      • Define roles and responsibilities
      • Gain an understanding of key business processes and related information technology controls

Phase II — Control Evaluation

      • Assist in compiling documentation to support the description of controls
      • Evaluate the business process controls and information technology controls
      • Identify control deficiencies, if any

Phase III — Reporting

    • Communicate control deficiencies to management
    • Review management’s control remediation plans and timelines for completion
    • Prepare the readiness assessment report that includes management’s remediation plans and timelines for completion

Thought Leadership

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing a experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members