The Service Organization Controls (SOC) reporting framework and Statement on Standards for Attestation Engagements (SSAE) No. 16 are critical topics for service organizations. UHY LLP has deep industry knowledge and extensive experience in providing SOC reporting and related services for SOC 1 (SSAE 16), SOC 2, and SOC 3 reports. We will work with you to gain a thorough understanding of your business operations and related risks by providing a comprehensive and in-depth assessment of your organization’s control environment.
Our experience in providing SOC reporting extends to a wide range of industries and service organization types including: Cloud Computing providers (SaaS, PaaS, IaaS), Managed Hosting and data centers, medical, dental, and pharmacy third-party administrators (TPAs) in a variety of industry verticals and specialties.
People are our most important resource. We have a wealth of exceptional people to serve our clients. Our SOC partners have an average of 25 years of experience in their specialties and are regular contributors and speakers at national and regional security and audit conferences. Our practitioners hold professional designations such as certified public accountant (CPA), certified information systems auditor (CISA), certified information systems security professional (CISSP), certified information security manager (CISM), certified internal auditor (CIA) and certified in the governance of enterprise IT (CGEIT).
We understand that spending money on third party attestation is not something your organization wants to do. Our goal is to help you evaluate the reporting options and provide you and your customers with the right report or set of reports to meet their needs. We strive to complete the reporting process in the most effective and efficient manner possible to minimize the cost to and effect on your organization.
Our methodology has evolved in recent years as more and more organizations struggle with increased customer demands for more and different types of attestation reports. Many of our customers face multiple reporting requirements such as SOC 1 (SSAE 16), SOC 2, HIPAA, PCI-DSS, in addition to international and federal reporting such as ISO, Fedramp, NIST, BITS, and others (also see Internal Audit, Risk & Compliance).
Our methodology for performing compliance work is based on a concept we call “compliance convergence.” Because many compliance frameworks focus on common attributes, such as information privacy and security, data integrity, and training; tremendous synergy may be achieved. Our approach begins with a normalization of the requirements of the myriad framework requirements. Next, we develop an audit plan that leverages this synergy to minimize the time required for sample selection, testing, and analysis.
Our first step in any attestation engagement is to understand the types of reports that you need to satisfy customer demand and contractual requirements. Because many control elements are similar between various types of attestation reporting, we map your controls to a master controls matrix and take advantage of the related synergies among the various reporting and controls frameworks. By ensuring that each control is tested only once, we can greatly reduce audit fees and reduce the time your internal personnel spend responding to information requests.
Service Organization Control (SOC) Reports
When trying to determine the type of SOC report that will best addresses your company and your customer’s needs, it is important to understand the underlying objective and purpose for each type of report.
SOC 1 (SSAE 16) Attestation Reports
SOC 1 reports evaluate a service organization’s internal controls that affect the financial reporting of companies using their services and communicate the results of this evaluation. Your business partners are often required by the Sarbanes-Oxley (SOX) Act of 2002, and other regulations, to assess the internal controls at your organization that affect their financial reporting. SOC 1 (SSAE 16) reports are intended to provide your business partners with this assessment. The critical factor in determining if a SOC 1 SSAE 16 report is appropriate is whether your company initiates, processes, or records transactions that ultimately impact your customer’s financial statements. If the services you provide for your customers do not impact your customer’s financial statements, then a SOC 2 or SOC 3 report is probably more appropriate. The AICPA issued Statement on Standards for Attestation Engagements 16 (SSAE 16), “Reporting on Controls at a Service Organization,” as a replacement for the former Statement on Auditing Standards 70 (SAS 70) in June 2011. Professionals engaged to perform SOC 1 engagements apply the auditing standards found in SSAE 16. For this reason, they are often referred to as SSAE 16 reports.
SOC 2 and SOC 3 Attestation Reports
SOC 2 and SOC 3 reports evaluate a service organization’s internal controls that affect the operations of companies using their services and communicate the results of this evaluation. SOC 2 and SOC 3 reports use the Trust Services Principles and Criteria as a framework for understanding operational risks facing the company and for determining the internal controls related to Security, Availability, Processing Integrity, Confidentiality, or Privacy that address those risks. Companies may select one, several, or all of the five Principles to be reported on. Standards for performing SOC 2 and SOC 3 reports are outlined in AICPA standard AT Section 101.
SOC Readiness Assessments
Our methodology for providing Service Organization Controls (SOC) attestation services for clients that have not been through the examination process before usually begins with a Readiness Assessment. The Readiness Assessment is the best way for us to obtain a full understanding of the services provided within the scope of the report and your control environment.
Our professionals will apply their knowledge of your business to assess your readiness to undergo a SOC 1, SOC 2, and/or SOC 3 attestation. We will meet with key personnel to gain a thorough understanding of current controls and identify potential gaps or areas of weakness that may need to be addressed before the attestation.
The Financial Accounting Standards Board has released Accounting Standards Update No. 2018-17, "Consolidation (Topic 810): Targeted Improvements to Related Party Guidance for Variable Interest Entities," expanding the nonpublic company alternative that allows nonpublic companies to elect not to apply VIE guidance to legal entities under common control.
The AICPA's Financial Reporting Executive Committee has released a working draft on Inventory Valuation guidance, which will be part of the upcoming release of its Business Combinations Accounting and Valuation Guide.
FASB issued ASU 2018-11, which contains targeted improvements to Topic 842 Leases. Among the targeted improvements are a transitional method for reporting during the adoption period and clarification on separating components of a contract for lessors as they relate to FASB's new revenue guidance Topic 606 Revenue from Contracts with Customers. Topic 842 significantly alters current lease accounting under US GAAP. The new standard removes the current approach of classifying leases as either capital or operating leases.
Tax reform provides an opportunity for simplification and tax relief for "small" businesses. Under the Act, a small business is defined as a taxpayer with average gross receipts during the previous three tax years of $25,000,000 or less. The $25,000,000 limit will be indexed for years after 2018. So what are qualifying taxpayers eligible for?
As many companies work towards completing implementation of ASC Topic 606 (Revenue from Contracts with Customers), differing methods of accounting could be required for financial reporting vs. tax reporting. For annual reporting periods beginning after Dec. 15, 2018 (or beginning after Dec. 15, 2017 for publicly-traded entities), an entity must recognize revenue for promised goods and services to customers for financial reporting purposes in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods and services under a five-step model.