Your Service Organization Controls (SOC) Report | Bowman & Company, LLP

whatever your needs,

Bowman & Company LLP is ready to assist you by providing Service Organization Controls (SOC) readiness assessments and SOC reports. We can help you decide which type of report best meets your needs and those of your customers.

Since 1939, Bowman & Company LP has provided professional auditing and accounting services to our clients. Our size and varied industry experience sets us apart from other firms providing such services.

Learn more about SOC Reports:

Click here for more information about SOC reports.

Click here for frequently asked questions about SOC reports.

Click here to connect with one of our SOC experts.


Service Organization Control (SOC) Reports Have Replaced SAS 70 Reports

Effective June 15, 2011, “SOC” Reports replaced SAS 70 reports. SOC reporting engagements result in three types of reports which address the policies, procedures and controls of an organization that processes transactions for others. The report provides reasonable assurance about the accuracy of the description of the organization’s control procedures, their appropriateness and, in certain cases, their operating effectiveness. To issue a report, an auditor reviews management’s control objectives and procedures.

Both SOC 1 and SOC 2 reports are available in Type 1 (controls are properly designed, in place and documented at a point in time) or Type 2 (controls are properly designed, in place, documented and are operating effectively over a period of time).

The change from SAS 70 to SOC Reports was primarily designed to align with international accounting standards. However, the change also provides options for companies that do not process financial transactions, but require assurance reporting as part of their services offering for their customers.


Frequently Asked Questions:

SOC 1 Report: What is it?

Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under AT Section 801, Reporting on Controls at a Service Organization. This report replaces the traditional SAS 70 report. SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.

There are two types of SOC 1 reports:

  • Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. It includes a description of the tests performed by the service auditor and the results of those tests. Use of a SOC 1 report is restricted to existing user entities (not potential customers).

SOC 2 Report: What is it?

Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a type 1 or type 2 report may be issued, and the report provides a description of the service organization’s system. For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system principles:

  • Security – The system is protected against unauthorized access (both physical and logical).
  • Availability – The system is available for operation and use as committed or agreed.
  • Processing integrity – System processing is complete, accurate, timely and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SOC 3 Report: What is it?

Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. SOC 3 reports can also be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy). The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website.


We invite you to CONTACT US if you would like additional information or to discuss your particular business needs.

CONTACT US NOW  

Sidebar Heading