As an organization that renders services, there is nothing more important than providing accessible and fair information to clients and visitors. Such a service, to be considered beneficial, will provide the client with a feeling of security and trust in the services that are rendered to it.
In the context of due diligence of controls, we provide control services to service bureaus (Service Organization Control-SOC). Our firm has developed skills and expertise in identifying the type and nature of information that is crucial to your clients. In addition, we possess the knowledge that required defining reports that contain the information required by the auditors of your clients.
The AICPA defined the SOC reports starting in 2011 as a framework to replace the old SAS70 standard under the new SSAE18 standard. SAS70 was published in 1992 and it relates to service organizations which their activities impacts the financial controls of their clients (through outsourced services) in order to regulate a process for validating the propriety of the processes in outsourcing companies.
Nowadays, it is more important for service organizations of all sizes to demonstrate their commitment of their internal controls through an organization's service report (SOC). The SOC reports provide snapshots of the existence and strength of financial, operational and information security controls in an organization. The declaration relies mainly on the evaluating of the mapping of controls in the organization, the efficiency of their design and the examination of the effectiveness of their implementation so that the organization's evaluation will be accepted according to an objective criterion that enables comparison.
Thus, through the SOC report the organization's management declares the effectiveness of an internal control system in the work processes, a declaration that provides confidence to customers and their auditors.
There are 3 types of SOC reports, and it is important to identify what is appropriate for your organization.
SOC 1 reports retain the original purpose of SAS 70 reports, in that; they provide a vehicle for reporting on a service organization's systems of internal controls that are relevant to a user organization's internal controls over financial reporting. SOC 1 reports are intended to be auditor to auditor communications.
SOC 2 reports offer service auditors and organizations a reporting option they can use when the subject matter is not relevant to controls over financial processes, but processes that based on Trust Services Principles that include security, availability, processing integrity, confidentiality and privacy. In accordance with these principles, control objectives and controls are determined and applied. A company requesting the SOC2 report does not have to include all the principles, but only those that are relevant to the client's activity for which it is committed in the report.
SOC 2 reports are intended for user organization management and other stakeholders (e.g. business partners and customers) along with regulators that may also benefit from the information contained within a SOC 2 report.
SOC 3 reports are similar to the SOC 2 reports but intended to be used for marketing purposes or in order to make it available for the public, thus – unlike the SOC 1or SOC 2- this report is short and does not include detailed information regarding the controls assessed, the tests performed and their results.
SOC 1/2 reports have two versions:
- Type 1 – a report due to specific date and describes to the design of the controls.
- Type 2 – a report due to specific date and describes to the design of the controls and their effectiveness in relation to a specific period including the tests results.
Stages in the preparation of a SOC 1 and SOC 2 reports:
- Mapping gaps for assessing the readiness of applying the standard.
- Preparation and scoping.
- Documenting the general controls of the entity and conducting an internal test.
- Assessing whether the controls were designed in a way that allow them to reach their goals.
- Verifying whether the aforementioned controls work effectively in order to assure in in a reasonable – but not complete – manner that the control objectives were achieved during the reviewed period.
What do we offer?
- Broad knowledge of and many years of working with service organization control reports.
- Extensive experience in reviewing internal control and providing recommendations for improvement.
- Quality service conforming to international standards and use of advance methodology.
Our services include:
- Gaps survey which aims to examine the level of compliance and check the preparations and readiness to meet the standard.
- Assistance in narrowing the gaps as part of the preparation for the report.
- A SOC 1 report based on the international standard ISAE 3402.
- A SOC 1/2/3 report according to the American standard SSAE 18 (previously SAS70).
Partner, Fahn Kanne Control Management Ltd.Find out more about Hanan Twizer