Third Party Reporting (SSAE 16 – SOC 1 & SOC 2) - Service Organizational Controls
- SOC 1 – Providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:
-
Management of the service organization (the company who has the SOC 1 performed)
-
User entities of the service organization (service organization’s clients)
-
The user entities’ financial auditors (user auditor). The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes–Oxley Act. A SOC 1 enables the user auditor to perform risk assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.
- Types – I & II
- Type I (Typically a report on Policies & Procedures which depicts the Design Effectiveness of the aforesaid in place)
- Type II (Typically a report which depicts on the Operating Effectiveness of the procedures/policies being followed)
- SOC 2 – Providing a means of reporting on the system and the TRUST Principles of the company briefly considered as
-
Security
-
Availability
-
Confidentiality
-
Privacy
-
Processing Integrity
-
- Types – I & II
- Type I (Typically a report on Policies & Procedures which depicts the Design Effectiveness of the aforesaid in place)
- Type II (Typically a report which depicts on the Operating Effectiveness of the procedures/policies being followed)