As companies (both service organizations and user organizations) look to understand their risks and the controls addressing those risks, reporting and transparency have become increasingly important. Service organizations look to provide comfort to their user organizations by providing them information regarding the internal controls they have in place to reduce risks.
The Brown Smith Wallace experienced team of professionals can assist you with your third party assurance needs, including Service Organization Control (SOC) reporting. Our team members have performed these services as the requirements have grown and changed over the years from SAS No. 44 (Special-Purpose Reports on Internal Accounting Control at Service Organizations) to SAS No. 70 (Service Organizations) to present-day requirements. Our team can help you navigate the process of determining which of the three reports best fit your needs.
SOC 1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
This report focuses on the controls of the service organization that are relevant to the financial reporting of the user organization. These engagements are performed in accordance with Statement on Standards for Attestation Engagement (SSAE) 16, Reporting on Controls at a Service Organization.
SOC 2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
This report focuses on one or more of the Trust Services Principles and the predefined criteria. These engagements are performed in accordance with AT Section 101, Attest Engagements, of SSAEs.
SOC 3 – Trust Services Report for Service Organizations
These reports use the same principles and criteria as the SOC 2 report. This is a general-use report that provides the auditor’s report on whether the system achieved the trust services criteria (no description of test and results or opinion on the description of the system are provided). These engagements are performed in accordance with AT Section 101, Attest Engagements, of SSAEs.
Agreed Upon Procedures
When a SOC report is not required, but you want a specific group of accounts, procedures or controls evaluated or reviewed, an Agreed Upon Procedures engagement may fit your needs.
Agreed upon procedures can involve reviewing accounts, procedures or controls to evaluate their effectiveness or accuracy. Agreed upon procedures engagements can review compliance of processes you dictated. We add our auditing, accounting and risk services expertise when needed to advise you on a specific course of action.
In many cases, an agreed upon procedures engagement examines service level agreements (SLAs), contract compliance, benefit plan compliance or contracts for services between two parties. These are just examples of the types of accounts, agreements and contracts that can be examined in an agreed upon procedures engagement. Upon completion of the agreed upon procedures engagement, a report is issued for your review, often with suggestions and recommendations.
At Brown Smith Wallace we have the experience your company needs. Because of our advisory services expertise in performing third party assurance projects and reviews in multiple industries and complex technical environments, we are able to draw upon the knowledge and experience necessary to deliver extraordinary results to your organization. To learn more about our SOC and Agreed Upon Procedures services, please contact us today.