Organizations -- and their customers – are increasingly relying on processing and application systems operated or ‘hosted’ by third parties. System and Organization Controls (SOC) Examination Reports provide assurance as to the effectiveness of the controls in place over the services performed by the systems and applications designed and operated by these third parties (or ‘service organizations’). Customers who rely on third-party vendors for services such as payroll processing, claims processing, data hosting, etc. can obtain assurance regarding the relevant controls implemented by these service providers through one of the several SOC report formats (e.g., SOC 1, SOC 2, or SOC 3). Providing control assurance through control attestations, such as SOC reports, is becoming an expectation by client organizations for choosing a service provider.
EisnerAmper’s Assurance Technology and Control Services (“ATCS”) Group is a team of CPAs and audit professionals who perform dozens of SOC examinations annually and have the requisite training and expertise to efficiently and effectively perform a SOC engagement and deliver a report -- allowing organizations to provide assurance regarding controls for their business partners and customers. EisnerAmper can perform all forms of control attestations (including SOC examinations, such as the SOC 1, SOC 2, SOC 2+ or SOC 3). Our firm performs these engagements across a wide variety of industries allowing the examined organization to distinguish themselves from competitors that do not furnish SOC reports to their client organizations.
SOC Engagement Subject Matter and Professional Standards:
- SOC 1 engagements examine controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting. These examinations are performed in line with AICPA’s Audit and Assurance Guide, as well as the AT-C Section 320, AT-C Section 105 and AT-C Section 205.
- SOC 2, SOC 2+ and SOC 3 Engagements provide assurance over controls related to [non-financial] services and transaction processing related to AICPA-designated “Trust Categories” that include Security, Confidentiality, Availability, Processing Integrity and Privacy.
Type I and Type II Examinations: A Type I examination reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. A Type II examination covers all the areas and assertions of a Type 1, and also provides assurance over the operating effectiveness of controls throughout a specified period.
SOC Consulting Services: SOC consulting services are performed to assist companies in conducting a readiness assessment as a prerequisite to conducting a first time SOC 1 or SOC 2 Exam, (or any other AICPA-sanctioned control attestation service). The specific objectives within a SOC Consulting service engagement is to assist management in identifying the control objectives and controls in place to meet those objectives as well as evaluating those controls design effectiveness and implementation, and identify any gaps or weaknesses and develop an action plan to remedy the gaps and weaknesses identified.