Providing Assurance Through SOC Reports



By: William T. Bauder, CPA, CGMA- Senior Accountant

The rapid growth in the number of businesses outsourcing various functions has made it absolutely necessary for service providers to have internal controls in place designed to protect those they work with. Your customers may call on you for assurance about your systems’ controls in regards to financial reporting, the controls meant to guard the privacy and security of user’s data, or the integrity of your systems as a whole.

How do you provide this assurance? More and more organizations are turning to a Service Organization Control Report (SOC Report) to provide a high level of peace of mind.  A SOC Report (and there are three different types, which we will get to in just a moment), is based on AICPA framework that was created to replace outdated SAS 70 control standard which was not designed to address the changes that technology and the internet have brought into the modern day work place.

If a company provides outsourced business services to other entities, then a SOC report provides those entities with the confidence that your control environment is defined, suitably designed and implemented effectively. Simply put, knowing this information allows them to evaluate the risk of doing business with you.

Now back to those three types of SOC audits and which one if right for your organization. A quick overview of the each type is as follows:

SOC 1- An audit of internal controls over financial reporting. Think of it like this, if the service you perform spits out a number that affects the financial status of your customer, this might apply to you.

SOC 2- An audit over one, to all five, of the Trust Services Principles (TSP’s).  What are the TSP’s you ask? Security, Availability, Processing Integrity, Confidentiality, and Privacy.  (This audit is typically very IT focused)

SOC 3-  Similar to a SOC 2 audit, this covers IT controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy, but has less detail presented about internal processes and results of the auditors testing and is most generally used for marketing purposes.

It is important to note that not every SOC report is the same and we will work with you to customize a report and approach that is sufficient and appropriate to meet your precise and unique needs.

For a more detailed description of each type of SOC Report, visit this area of our website:

Contact H&M today for more information regarding how to get the SOC process started. Our team is comprised of experienced auditors and CPAs as well as professionals with CITP and CISA certifications.