System and Organization Controls (SOC)

Outsourced services users and their auditors increasingly are requesting more information than ever before about the effectiveness of controls at the service organizations they use, or are considering using, for outsourced business functions. Using the AICPA’s various SOC for Service Organizations offerings, we can provide assurance reports that provide your users the valuable information they need to assess and address the risks associated with the outsourced services you provide, helping build trust and transparency.

A SOC report can only be issued by an independent CPA. A successful SOC examination performed by a CPA will permit your organization to use the AICPA SOC logo on its website. Our team will work closely with experienced information technology and security specialists and your company’s business process owners to ensure a comprehensive, thorough, and timely evaluation of the controls related to the services you provide.

What are SOC for Service Organizations reports?

SOC for Service Organizations reports are internal control reports, which independent CPAs provide, on the services a service organization provides.

  • Useful for evaluating the effectiveness of controls related to the services performed by a service organization
  • Appropriate for understanding how the service organization maintains oversight over third parties that provide services to customers
  • Help reduce compliance burden by providing one report that addresses the shared needs of multiple users
  • Enhances the ability to obtain and retain customers

SOC 2 ® – SOC  for Service Organizations: Trust Services Criteria

These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process, in accordance with the AICPA’s Trust Service Criteria. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners, and regulators.