SERVICE ORGANIZATION ENGAGEMENTSThe Ever Changing Control Environment
SYSTEM AND ORGANIZATION CONTROLS (SOC) SERVICES
Bowman & Company LLP’s SOC attestation practice helps service organizations verify internal controls, avoid downtime, and focus on what they do best. Through these measures, we help satisfy third-party risk and assurance requirements and assist organizations in demonstrating the integrity of their control environment.
SOC 1 REPORT: WHAT IS IT?
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR).
Whether you represent a law firm, a medical office, or another entity responsible for sensitive/confidential information, most service organizations use cost intensive transaction processing systems to manage payroll, sales, and day-to-day operations. SOC 1 reports explore an organization’s methods and processes and identifies potential weaknesses.
A SOC 1 report is prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
SOC 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description. Within this engagement, there are two types:
Type 1 – Reports on the design of controls as of a specified date.
Type 2 – Reports on the effectiveness of controls throughout a specified time period.
Use of these reports is restricted to the management of the service organization, user entities, and user auditors (not potential customers). However, the organization may indicate on its website and marketing materials that it has undergone a SOC 1 engagement.
SOC 2 REPORT: WHAT IS IT?
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Our team provides a report on user organizations’ internal controls related to security, availability, processing integrity, confidentiality and/or privacy using Trust Service Principles. We provide actionable insights to help organizations enhance their internal control environment, and help companies provide transparent controls-related information to customers and other stakeholders.
These reports, prepared in accordance with Trust Services Principles (TSP) Section 100, Trust Services for Security, Availability, Processing Integrity, Confidentiality, and Privacy or other authoritative criteria, are specifically intended to increase confidence in a service organization’s systems. Included in a SOC 2 report is a description of the service organization’s controls, listing of tests performed by the service auditor, and results of those tests.
Just like SOC 1 reports, SOC 2 reports can either report on the design of controls as of a specified date (Type 1) or the design and operating effectiveness of controls for a period of time (Type 2). However, SOC 2 reports specifically address one or more of the following five key system principles:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing integrity – System processing is complete, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
These reports are designed to be actively utilized by the management of the service organization, user entities, prospective user entities, and regulators. SOC 1 and SOC 2 reports can provide:
An organization may also indicate on its website and marketing materials that it has undergone a SOC 1 and/or SOC 2 engagement.
Our understanding of various industries, experience in providing attestation services, and our team of skilled professionals distinctly qualify us to serve as your company’s service auditor.
We invite you to CONTACT US if you would like additional information or to discuss your particular business needs.
Unfortunately, it isn’t enough to just have specialized skills; it takes a lot of careful planning, organization, and legal compliance to start a commercial business. There are a lot of factors at play that should determine how your business should be structured, and...
Whether you’ve heard of the New Jersey Society of Certified Public Accountants (NJCPA) or not, it has probably affected something in your life as a New Jersey resident. Most accountants in the state are members; all Bowman & Company LLP personnel with their CPA...
Every year, New Jersey residents elect officials to represent them in local government bodies. These elected offices hold great importance to the functionality and stability of every community across the state. As one of the largest Firms in New Jersey for Registered...