Thursday, February 23, 2012
  Search
 News and Events Minimize
New - Wednesday, February 22, 2012
Congratulations to Nick Tocco on passing the CPA exam. 
New - Thursday, February 02, 2012
Congratulations to Tim Kiel on passing the RMA exam. 
  



Offices:

Voorhees, NJ
601 White Horse Rd
Voorhees, NJ 08043
P - (856)435-6200
F - (856)435-0440
Directions 

Woodbury, NJ
6 North Broad Street,
Suite 201
Woodbury, NJ 08096
P - (856)853-0440
F - (856)845-4128 
Directions

Contact Us
 Bowman & Company and Your SOC Report Minimize

Bowman & Company and Your Service Organization Controls (SOC) Report

Whatever your needs, Bowman & Company LLP is ready to assist you by providing Service Organization Controls (SOC) readiness assessments and SOC reports.  We can help you decide which type of report best meets your needs and those of your customers.

 

Since 1939, Bowman & Company LP has provided professional auditing and accounting services to our clients.  Our size and varied industry experience sets us apart from other firms providing such services.

 

Click here for more information about SOC reports.

 

Click here to find out more about combining SOC and “other subject matter".

Click here for frequently asked questions about SOC reports.

Click here to connect with one of our SOC experts


 

 

Satisfying HIPAA, PCI, and other audit requirements with one audit engagement by taking advantage of the new SOC reports (formerly SAS70 reports)

 

For many service organizations, complying with multiple industry standards and regulations is mandatory in order to do business with customers that trust them to safeguard the information they handle. 

 

In fact, it is not uncommon for some service organizations to have to comply with the Payment Card Industry's Data Security Standards (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), and a host of other internal controls required under SOC / SSAE16 (formerly SAS70).

 

Each standard and regulation required its own third party audit every year adding to the cost of doing business, and draining time and resources away from core business activities.  Now there is a solution.

 

Welcome to the new Service Organization Controls (SOC2) report that allows organizations to integrate all of their compliance requirements into one audit engagement.  On June 15th, 2011 new audit standards became effective that allow service organizations to include "Additional Subject Matter" in the SOC 2 report they obtain from their CPAs.  A SOC2 report is based on pre-established controls called the Trust Services Principles & Criteria (TSPC), and the additional subject matter can include any other controls that are suitable and measurable.  PCI and HIPAA meet both of these requirements, and therefore may be included in the SOC 2 report.

 

Under the previous audit standards, service organizations had to document and follow their own controls that were often difficult to correlate to other standards that are based on predefined control criteria.  The TSPC, on the other hand, cover the domains of Security, Availability, Processing Integrity, Confidentiality, and Privacy and are easily mapped to PCI DSS, NIST, ISO 27001, etc. providing service auditors with the capability of testing any controls that overlap one time.

 

Taking advantage of the timing of these changes in the audit standards, and to meet customer expectations of receiving a report for each compliance area, Bowman has partnered with CompliancePoint, a leading Qualified Security Assessor (QSA), to create consolidated audit procedures that blend the TSPC controls with the controls from the other standards.

 

Through the combined engagement approach, service organizations only have to present audit evidence one time.  It is then tested by the combined Bowman / CompliancePoint team, and the results provide a basis for the SOC, HIPAA, and PCI reports issued separately by Bowman and CompliancePoint.  The impact to the service organization is increased efficiency in their compliance programs and reduced burden on their resources to meet auditor requests for information.

 

We have developed our methodology to enable service organizations to be able to consolidate PCI and SOC, HIPAA and SOC, ISO 27001 and SOC, GLBA and SOC, FISMA and SOC, PCI, HIPAA, and SOC as well as all of the above under the SOC report umbrella.  Any service organization that can take advantage of the opportunity presented by the new audit standards will benefit from increased audit program efficiency and reduced overall audit fees from your service auditors.  This will leave more time and energy for concentrating on profitability and business growth.

Click here to connect with one of our SOC experts

Click here for frequently asked questions about SOC reports.

Service Organization Control (SOC) Reports Have Replaced SAS 70 Reports

Effective June 15, 2011, “SOC” Reports replaced SAS 70 reports. SOC reporting engagements result in three types of reports which address the policies, procedures and controls of an organization that processes transactions for others. The report provides reasonable assurance about the accuracy of the description of the organization’s control procedures, their appropriateness and, in certain cases, their operating effectiveness. To issue a report, an auditor reviews management’s control objectives and procedures.

Both SOC 1 and SOC 2 reports will be available in Type 1 (controls are properly designed, in place and documented at a point in time) or Type 2 (controls are properly designed, in place, documented and are operating effectively over a period of time). 

The change from SAS 70 to SOC Reports was primarily designed to align with international accounting standards. However, the new change also provides options for companies that do not process financial transactions, but require assurance reporting as part of their services offering for their customers.

Click here for frequently asked questions about SOC reports.

Click here to find out more about combining SOC and “other subject matter".

Click here to connect with one of our SOC experts


 

Frequently Asked Questions:

SOC 1 Report: What is it?

Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under SSAE 16, Reporting on Controls at a Service Organization. This report replaces the traditional SAS 70 report.  SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.

There are two types of SOC 1 reports:

• Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

• Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Use of a SOC 1 report is restricted to existing user entities (not potential customers).

SOC 2 Report: What is it?

Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system attributes:

Security - The system is protected against unauthorized access (both physical and logical).

Availability - The system is available for operation and use as committed or agreed.

Processing integrity - System processing is complete, accurate, timely and authorized.

Confidentiality - Information designated as confidential is protected as committed or agreed. 

 

Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SOC 3 Report: What is it?

Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy).

Click here for more information about SOC reports.

 

Click here to find out more about combining SOC and “other subject matter".

Click here to connect with one of our SOC experts

 
    
Copyright 2008 by Bowman & Company LLP   Terms Of Use  Privacy Statement
  Login