Have you ever thought about what you would do if someone obtained access to all the information you stored electronically?
Service organizations often ask our firm if they have to give out their SOC 1 (formerly SSAE 16) or SOC 2 report to user organizations or prospective user organizations
With all the commerce and other types of transactions and information that traverse the Internet, it is useful that there are organizations such as the CSA, AICPA, and many others, which are focused on serving the public’s interests. And while nothing will ever give complete assurance as to the internal controls for a service organization, SOC audit reports go a long way to providing a level of assurance that is acceptable to most people and organizations.
SOC logos are available for use by service organizations that have undergone a SOC 1 (formerly SSAE 16), SOC 2, or SOC 3 engagement within the prior 12 months.
The Cloud Security Alliance is a non-profit organization that promotes the use of best practices for providing secure cloud computing. Since 2010, the CSA has released four versions of a free Cloud Controls Matrix for public use.
A question that often comes up from service organizations and service auditors is this “Who can management distribute the report too?” The answer lies buried in the AICPA’s audit guides and is different depending on the type of service organization control (SOC) audit report.
Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?
Recently, the AICPA has started referring to SSAE 16 reports as SOC 1 reports. SOC stands for service organization control reports. Not to be confused with SOX, which most know is an acronym for the Sarbanes-Oxley Act of 2002. In any case, the AICPA is trying to simplify the many different types of reports service […]
Frequently there is a discussion from service organizations regarding which of these an organization should complete. Many service organizations get a significant amount of requests related to information technology controls and security. The requests come in different forms, whether it be for SAS 70 reports (changing to SSAE 16 reports after June 15, 2011), completed questionnaires, and sometimes for on-site audits by the user organizations. Some of the pros and cons of each are briefly described below.