SERVICE ORGANIZATION ENGAGEMENTS

In today’s global economy, companies are increasingly dependent on outsourcing business operations to save time and energy. Considering the various industry regulatory and risk standards, organizations must demonstrate adequate controls and safeguards over their clients’ assets and confidential information. Our System and Organization Control (SOC) reports can help you get a plan in motion.

Bowman & Company LLP’s SOC attestation practice helps service organizations verify internal controls, avoid downtime, and focus on what they do best. Through these measures, we help satisfy third-party risk and assurance requirements and assist organizations in demonstrating the integrity of their control environment.

SOC 1 REPORT: WHAT IS IT?

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR).

Whether you represent a law firm, a medical office, or another entity responsible for sensitive/confidential information, most service organizations use cost intensive transaction processing systems to manage payroll, sales, and day-to-day operations. SOC 1 reports explore an organization’s methods and processes and identifies potential weaknesses.

A SOC 1 report is prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

SOC 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description. Within this engagement, there are two types:

Type 1 – Reports on the design of controls as of a specified date.

Type 2 – Reports on the effectiveness of controls throughout a specified time period.

Use of these reports is restricted to the management of the service organization, user entities, and user auditors (not potential customers). However, the organization may indicate on its website and marketing materials that it has undergone a SOC 1 engagement.

SOC 2 REPORT: WHAT IS IT?

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Our team provides a report on user organizations’ internal controls related to security, availability, processing integrity, confidentiality and/or privacy using Trust Service Principles. We provide actionable insights to help organizations enhance their internal control environment, and help companies provide transparent controls-related information to customers and other stakeholders.

These reports, prepared in accordance with Trust Services Principles (TSP) Section 100, Trust Services for Security, Availability, Processing Integrity, Confidentiality, and Privacy or other authoritative criteria, are specifically intended to increase confidence in a service organization’s systems. Included in a SOC 2 report is a description of the service organization’s controls, listing of tests performed by the service auditor, and results of those tests.

Just like SOC 1 reports, SOC 2 reports can either report on the design of controls as of a specified date (Type 1) or the design and operating effectiveness of controls for a period of time (Type 2). However, SOC 2 reports specifically address one or more of the following five key system principles:

• Security – The system is protected against unauthorized access (both physical and logical).
• Availability – The system is available for operation and use as committed or agreed.
• Processing integrity – System processing is complete, accurate, timely, and authorized.
• Confidentiality – Information designated as confidential is protected as committed or agreed.
• Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

POTENTIAL BENEFITS

These reports are designed to be actively utilized by the management of the service organization, user entities, prospective user entities, and regulators. SOC 1 and SOC 2 reports can provide:

Increased client confidence through transparency Minimization of frequent external audits Enhanced risk management

Improved competitive advantage through differentiation Streamlined business processes and controls Potential marketing tools for prospective customers

An organization may also indicate on its website and marketing materials that it has undergone a SOC 1 and/or SOC 2 engagement.

Our understanding of various industries, experience in providing attestation services, and our team of skilled professionals distinctly qualify us to serve as your company’s service auditor.