Third Party Reporting (SSAE 16 – SOC 1 & SOC 2) - Service Organizational Controls

  • SOC 1 – Providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:
  • Management of the service organization (the company who has the SOC 1 performed)

  • User entities of the service organization (service organization’s clients)

  • The user entities’ financial auditors (user auditor). The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes–Oxley Act. A SOC 1 enables the user auditor to perform risk assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.

  • Types – I & II
  • Type I (Typically a report on Policies & Procedures which depicts the Design Effectiveness of the aforesaid in place)
  • Type II (Typically a report which depicts on the Operating Effectiveness of the procedures/policies being followed)
  • SOC 2 – Providing a means of reporting on the system and the TRUST Principles of the company briefly considered as
    • Security

    • Availability

    • Confidentiality

    • Privacy

    • Processing Integrity

  • Types – I & II 
  • Type I (Typically a report on Policies & Procedures which depicts the Design Effectiveness of the aforesaid in place)
  • Type II (Typically a report which depicts on the Operating Effectiveness of the procedures/policies being followed)