Svc Org Control 2 & 3 Audits | Regulatory Compliance

With the implementation of Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, the AICPA has developed and termed two reports delivered to service organizations as Service Organization Control (SOC) 2 and SOC 3 reports. These reports verify that a service organization has been through an in-depth audit of the internal control processes related to controls over security, availability, processing integrity, confidentiality, and privacy of non-financial information. The AICPA and Canadian Institute of Chartered Accountants (CICA) developed the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy as a standard for completing SOC 2 and SOC 3 services.

Two Types of Reports

SOC 2 Type I reports identify whether the service organizations' internal controls are appropriately designed as of a specified date in time. SOC 2 &3 Type II reports identify whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months but can be as few as 2 months, and if the controls are operating with sufficient effectiveness during the same period.

SOC 2 & SOC 3 Differences

SOC 2 reports are intended only for the service organization's customers, while SOC 3 reports can be freely distributed or posted on a Web Site and with a SysTrust seal. Additionally, SOC 3 reports do not contain a detailed description of the service auditor’s tests.

Who should consider getting a SOC 2 & 3 Audit?

Service organizations hosting or processing sensitive non-financial statement data belonging to customers who want to demonstrate effective internal controls or those with closely regulated customers who must submit reports on internal controls over sensitive data to regulatory agencies.

What are the Benefits

Independent, third-party assurance of adequate internal controls; a demonstration that a sound internal control environment over non-financial reporting data exists; builds trust and strengthens relationships with customers; reduces strain on your organization by eliminating multiple visits from your customers’ auditors; and identifies opportunities for improvement in business process and management of information technology operations

The Rehmann Approach

Phase I - Project Planning
Develop project scope of work; define roles and responsibilities; gain an understanding of key business processes and related information technology controls.

Phase II - Readiness Assessment (If requested)
Evaluate the selected business processes and information technology controls; identify control deficiencies, if any; communicate control deficiencies to management; review management’s control remediation; and assist in compiling documentation to support the description of controls

Phase III - Perform the SOC 2 or 3 Audit
Obtain management's assertion of the system description and internal controls, assess the suitability of the criteria used by management to prepare its description of controls, by using AICPA/CICA standards; obtain an understanding of the service organization’s system; obtain evidence of management’s description of the service organization’s system; obtain evidence of the design of controls; obtain evidence of the operating effectiveness of controls (Type II); investigate the nature and cause of deviations, if any; and prepare the service auditor's report.

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week