As outsourcing to specialty service providers has grown exponentially in recent years, so has the demand for System and Organization Controls (SOC) auditor examinations and related reports for any organization that handles sensitive data.
With the growing demand for SOC reports, service organizations should consider the following…
1. Are your cybersecurity practices really protecting your business?
2. Are you spending all of your time completing client security assessments?
3. Are you missing out on business opportunities because of client safety concerns?
4. What type of SOC report is right for your company?
A SOC report is an examination and report over internal controls at a service organization.
A SOC 1 report focuses on internal controls over financial reporting. This report is typically an “auditor to auditor” report used in the audit of financial statements to allow auditors to rely on the service organization’s services.
A SOC 2 report focuses on internal controls over the security of a service organization’s system. This can also include internal controls related to the availability, processing integrity, confidentiality, and privacy of a service organization’s system. This report is typically requested by customers or potential customers of a service organization in order for them to gain comfort around the security of the service organization’s system.
Typical service organizations that receive SOC 1 reports include:
• Insurance claims processors
• Payroll processors
• Medical billing processors
• Employee benefit plan administrators
A SOC 2 report focuses on internal controls over the security of a service organization’s system. This can also include internal controls related to the availability, processing integrity, confidentiality, and privacy of a service organization’s system.
This report is typically requested by customers or potential customers of a service organization in order for them to gain comfort around the security of the service organization’s system.
Typical service organizations that receive SOC 2 reports include:
• Software-as-a-Service (SaaS) Providers
• Data Centers
• Managed Security Service Providers (MSSP)
• Any other service provider for which customer data is involved
For more information contact our accredited SOC team members:
Drent J. Shields, CPA, MBA, CISA, CITP
Risk & Controls Partner
dshields@pkfmueller.com
+1 847 649 8815
Kyle Wehrli, CPA, CISA, CITP
Audit Director
kwehrli@pkfmueller.com
+1 847 649 8813
