Organization Control (SOC) Reporting and SSAE-16 Audit Reports

Today, it is common for entities to outsource business tasks or functions to service organizations, even those that are core to an entity’s operations.  Although user entities may rely on a service organization to perform outsourced tasks or functions, the user entity retains responsibility for the service it provides to its customers, even if those services are affected by the work performed by a service organization.  For that reason, user entities may seek assurance regarding a service organization’s controls intended to protect the service organization, user entities, and customers of the user entities from the potential risks associated with these services.

It is vital that Service Organizations demonstrate adequate controls and safeguards when they host or process data belonging to their user entities. Service Organization Control (SOC) audit reports help build trust and confidence in those controls, processes and safeguards. The SOC team at Smith & Howard focuses on preparing SOC audit reports under the Statement of Standards for Attestation Engagements No. 16 (SSAE - 16 Audit Report), Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801) ensuring accurate, fair reporting in which service organizations and their user entities can have confidence that their information is protected throughout its life cycle.

Benefits of SOC reports include:

  • Increased ability to market to, attract and retain quality customers
  • Satisfaction of external audit requirements
  • Documentation of internal control structure
  • Increased customer confidence
  • Enhanced risk management
  • Compliance with regulatory requirements

Some of the businesses that fall under Service Organization category requiring SOC reports include:

  • Health care claims management and processing
  • Credit card payment processors
  • Payroll companies
  • Fulfillment businesses
  • Collection organizations
  • Bill payment processors
  • Investment managers

There are three types of SOC reports available, providing assurance over financial controls, and controls relevant to security, availability, processing integrity, confidentiality and privacy. For an easy-to-follow guideline on the SOC report or reports your Service Organization may need email us here.

Choosing the right professionals to serve your SOC reporting needs is a critical element of success. For more information on Smith & Howard’s SOC services, please call Marvin Willis or Debbie Risher for more information. Or, simply complete the form on this page. 

Questions? Contact Us