For organizations that render services to organizations and companies that serve as “service bureaus”, nothing is more important than the generation of accessible and fair information to its clients and to the auditors of its clients. Rendering such services in the most advantageous manner provides clients with a sense of security and trustworthiness regarding the services being rendered to them.
In connection with the testing of the fairness of controls, we render control services to service bureaus (Service Organization Control – SOC). Our firm has developed expertise in determining the type and nature of the data that your clients require. In addition, we possess the know-how required to define reports that contain the information required by the auditors of your clients.
Commencing in 2011, the SOC reports were defined by the AICPA as part of the project that replaced the former standard known as SAS70 – under a new standard known as SSAE18. SAS70, which was issued in 1992, relates to service rendering organizations, the activity of which impacts the financial control of their clients (through outsourced services) and, from a practical standpoint, regulated a process of verifying the propriety of the processes being used at the outsourced companies.
At present, it is more important for the service organizations of all sizes to demonstrate their commitment to internal controls through the organization’s service report (SOC). SOC reports provide, in a declarative manner, a status report that illustrates the existence and strength of the financial, operational and information system controls in place in the organization. The declaration relies basically on an assessment of the mapping of the controls in the organization,, the efficiency of their design and a testing of the effectiveness of their implementation. In this manner, the organization obtains an assessment based on objective criteria that facilitate comparisons.
Through the SOC report, management of the organization declares the effectiveness of the internal controls in place in the work processes, a declaration that radiates trust to its clients and to its independent auditors.
Types of SOC reports
SOC1 is a report that is suited to the major goal of the SAS70 standard, provides a declaration in respect of the internal control framework of the service providing organization, specifically about the framework that is relevant to and impacts the internal controls in the financial reporting process of the recipient organizations. In other words, this report relates solely to the financial reporting processes of the organization and it is used by the management of the service providing organization, the management of the recipient organization and the independent auditors.
SOC2 is a report that is similar in structure to the SOC1 report, but it does not relate to the financial processes, rather to processes based on trust service principles which are set out in the U.S. standard AT101: security, availability, processing integrity, confidentiality and privacy. These principles are supposed to find expression in the organization’s information systems, which are related to systems in which information is generated, gathered and processed. Concurrent with these principles, the standard sets out control goals to which the required and implemented controls are mapped. A company that requests an SOC2 report does not necessarily require all of the principles, rather those that are relevant to the client in respect of which the report is being requested.
This report is used by the management of the service providing organization, the management of the recipient organization, the independent auditors and interested parties such as business partners, clients and shareholders.
The preparation of a SOC1/2 report includes a number of phases:
- Gaps must be mapped to assess the preparedness of the implementation of the standard.
- Afterwards, the work must be planned and the scope of the work must be determined.
- Then it is necessary to document the entity level controls and an internal examination must be conducted.
- Then it is necessary to perform an assessment as to whether the controls were designed in a manner that facilitates achievement of their goals.
- And finally, the organization must check to see that the aforementioned controls work efficiently enough to guarantee reasonable, albeit not absolute, assurance that the goals of the controls were achieved during the period being tested.
There are two versions of the SOC1/2 reports
- Type 1 – a report that is prepared as of a given date and that relates to the manner in which the controls were designed.
- Type 2 – a report that is prepared as of a given date and that relates to both the design of the controls and to the effectiveness of their implementation, taking into account a given period, including the results of the tests.
SOC3 is a report that is identical to SOC2, but it is designed to be publicized to the public and it may also be used for marketing purposes. However, as opposed to the SOC1 and the SOC2 reports, this report is shorter and it does not contain a breakdown of the controls and the description and findings of the testing of the controls.
Our added value
- Broad know-how and many years of experience with 1/2/3 control reports of service bureaus.
- Service based on professionalism and the involvement of senior staff.
- Quality service, based on international standards and use of advanced methodology.
- The performance of projects around the world, utilizing the services of local experts at the member firms of the Grant Thornton International network of which we are the Israeli member firm.
Hanan Twizer, CPAContact us