SOC & SSAE 18
Service Organizational Control (SOC) reports were created by American Institute of Certified Public Accountants (AICPA) in order to set compliance standards to keep pace with businesses outsourcing their services to third parties i.e., service organizations. According to the AIPCA, “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.”.
SOC reports are based on SSAE (Statement on Standards for Attestation Engagements) version 18, which regulate how companies conduct business, and more it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.
SOC 1 Report
Internal control report that are likely to be relevant to an audit of customers financial statement.
SOC 2 Report
Control reports that evaluate the business information system in depth that are related to security, availability, processing integrity, confidentiality or privacy. Controls for this report are assessed for over a defined period.
SOC 3 Report
Control reports that provide information related to internal controls for security, availability, processing integrity, confidentiality or privacy. But SOC 3 doesn’t go into much detail as SOC 2.
We help organizations to scope their control environment, which is required to be assessed and reported to corresponding interested parties. Based on this understanding, a suitable plan is developed with associated responsibilities and activity timelines being clearly defined.
An initial review of the control environment in scope is performed by our auditors to identify any associated gaps that needs to be remediated. This review is done by considering mandatory control objectives that includes:
- IT Governance
- Logical Security
- Change Controls
- Physical & environmental controls
Based on gaps identified, we help organization during its remediation activities. We provide support to develop appropriate policies, procedures along with its required technical controls required to achieve and maintain your intended control objectives.
Post remediation, depending upon the SOC type requirement, we would examine the control environment for a defined period and collect appropriate evidences supporting the required organizational requirements for SOC reporting.
We prepare the SOC reports based on suitable evidence collated during the control examination phase applicable to the organizational SOC reporting requirements. This report shall be finalized after undergoing appropriate QA procedures.
Why choose ValueMentor?
- Team of seasoned auditors
- Expertise in reporting controls for various organizations globally with complex environments.
- Proven record on supporting clients to keep hold of security of their control environment regardless of its business/operational challenges.