As companies (both service organizations and user organizations) look to understand their risks and the controls addressing those risks, reporting and transparency have become increasingly important. Service organizations look to provide comfort to their user organizations by providing them information regarding the internal controls they have in place to reduce risks.
The Brown Smith Wallace experienced team of professionals can assist you with your third party assurance needs, including Service Organization Control (SOC) reporting. Our team members have performed these services as the requirements have grown and changed over the years from SAS No. 44 (Special-Purpose Reports on Internal Accounting Control at Service Organizations) to SAS No. 70 (Service Organizations) to present-day requirements. Our team can help you navigate the process of determining which of the three reports best fit your needs.
SOC 1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
This report focuses on the controls of the service organization that are relevant to the financial reporting of the user organization. These engagements are performed in accordance with Statement on Standards for Attestation Engagement (SSAE) 18, Reporting on Controls at a Service Organization.
SOC 2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
This report focuses on one or more of the Trust Services Principles and the predefined criteria. These engagements are performed in accordance with AT Section 101, Attest Engagements, of SSAEs.
SOC 3 – Trust Services Report for Service Organizations
These reports use the same principles and criteria as the SOC 2 report. This is a general-use report that provides the auditor’s report on whether the system achieved the trust services criteria (no description of test and results or opinion on the description of the system are provided). These engagements are performed in accordance with AT Section 101, Attest Engagements, of SSAEs.
Agreed Upon Procedures
When a SOC report is not required, but you want a specific group of accounts, procedures or controls evaluated or reviewed, an Agreed Upon Procedures engagement may fit your needs.
Agreed upon procedures can involve reviewing accounts, procedures or controls to evaluate their effectiveness or accuracy. Agreed upon procedures engagements can review compliance of processes you dictated. We add our auditing, accounting and risk services expertise when needed to advise you on a specific course of action.
In many cases, an agreed upon procedures engagement examines service level agreements (SLAs), contract compliance, benefit plan compliance or contracts for services between two parties. These are just examples of the types of accounts, agreements and contracts that can be examined in an agreed upon procedures engagement. Upon completion of the agreed upon procedures engagement, a report is issued for your review, often with suggestions and recommendations.
At Brown Smith Wallace we have the experience your company needs. Because of our advisory services expertise in performing third party assurance projects and reviews in multiple industries and complex technical environments, we are able to draw upon the knowledge and experience necessary to deliver extraordinary results to your organization. To learn more about our SOC and Agreed Upon Procedures services, please contact us today.
We help you fulfill the fiduciary responsibilities of your benefit plans by helping you focus on the interests of plan participants and beneficiaries. Our affiliate, Benefit Plans Plus LLC, offers a Fiduciary Health CheckTM that identifies opportunities, improves procedures and enhances systems.
We help you comply with HIPAA regulations by performing a gap analysis, constructing implementation plans or providing policies, procedures and resources. We can also assist you in assessing the business impact of HIPAA regarding the applicability of regulations, and its effect on business processes, controls and reporting requirements.
Payment Card Industry Services (PCI)
Payment card risk advisory services help to ensure protection of your customers’ privacy. Businesses rely on credit or debit cards to process monetary transactions every day. However, there are constant unsolicited and illegal attempts to access the cardholder data contained in those transactions. It is more important than ever for your business to have controls in place to adequately protect consumer information.
In 2004, VISA and MasterCard security standards were endorsed by the four other card brands creating the Payment Card Industry (PCI) Data Security Standard. This unified information security program was designed to protect credit card data based upon fundamental security controls. Compliance with the PCI Data Security Standard is required of all merchants and service providers that store, process or transmit cardholder data.
Brown Smith Wallace Risk Advisory Services can help your organization achieve and maintain PCI compliance. We can assist your organization with the following services:
- PCI DSS guidance and planning
- PCI QSA on-site audit