Service Organization Control Systems

Consultative services geared toward getting your organization ready to go through the process of providing your clients with an SOC report. Crowe will assist you in identifying appropriate areas of coverage and related controls. Further, we will help you identify any gaps in your current controls framework so they can be corrected before the SOC examination period begins.

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SSAE 16)

Attestation services that result in a formal report on controls to be provided to your customers. SOC 1 reports are intended to be used by user organizations that rely on a service organization to perform control activities that affect the user organization's financial reporting process or impact its SOX 404 key controls. Service organizations have the option to issue a Type 1 or Type 2 report:

• Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
• Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy

Attestation services that result in a formal report on controls to be provided to your customers. SOC 2 reports are intended to be used by user organizations that need to obtain detailed information about the service organization’s system and independent assurance about the controls performed by the service organization related to security, availability, processing integrity, confidentiality and/or privacy. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. The service organization may select to cover security, availability, processing integrity, confidentiality, and/or privacy based on the needs of its customers. The service organization must then describe the controls it has in place to satisfy the criteria specified for each chosen principal. Service organizations have the option to issue a Type 1 or Type 2 report.

Report on Controls at a Service Organization

An AT 101 report can be issued over controls at a service organization as a review or as an examination. Further, the service auditor can either report on management’s assertion directly or the subject matter of the report directly. If the engagement is conducted as a review over the subject matter, testing would be limited to inquiry, observation, and maybe some inspection, similar to the Type 1 report under SAS 70. If the engagement is conducted as an examination, with an opinion covering the subject matter directly, testing would be performed using observation, inspection, and reperformance and could cover a period of time. Management is required to define criteria or to select an industry standard from which the criteria are chosen. These criteria are used by the service auditor to evaluate and test controls.

Report on Controls at a Service Organization Related to Regulatory Requirements

An AT 601 report can be issued over controls related to a specified regulation at a service organization as a review or as an examination. Further, the service auditor can either report on management’s assertion directly or the subject matter of the report directly. If the engagement is conducted as a review over the subject matter, testing would be limited to inquiry, observation, and maybe some inspection, similar to the Type 1 report under SAS 70. If the engagement is conducted as an examination, with an opinion covering the subject matter directly, testing would be performed using observation, inspection, and reperformance and could cover a period of time. Management would define the controls to be covered that relate to criteria defined within specific regulations (i.e., HIPAA).