Companies that provide services (Service Organizations) to other companies (User Entities) are often asked to provide proof that their internal controls are working effectively so that their clients’ auditors and regulators can obtain assurance about the controls.
The preferred assurance mechanism to efficiently handle these audit requests is more than likely a SOC (“Service Organization Controls”) report. There are presently three SOC reports: SOC 1, SOC 2, and SOC 3.
The professional standards used to assess the internal controls or trust principles of a service organization and issue a service auditor’s report are issued by the AICPA under Statements on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70).
Examples of service organizations are employee benefits plans, payroll processors, insurance and medical claims processors, trust companies, hosted data centers, cloud service providers, managed security providers, credit card processing organizations, and clearinghouses. The correct SOC report is determined by the user entity’s requirements and the impact of service organization’s controls.
Lanigan has developed a niche team that performs audits of service organizations. Our team is well versed in SSAE No. 16 standards and actively works with large governmental and private entities in providing service organization audits.
Core Service Offerings
for Service Organizations
- Readiness Assessments
- SOC 1 Reporting
- SOC 2 Reporting
- SOC 3 Reporting