System and Organization Controls (SOC) Reporting

What type of businesses typically need SOC reports?

  • Data centers
  • Debt collection companies
  • Fulfillment/logistics businesses
  • Health insurance claims management and processing
  • Hosting and technology services
  • Payment/transaction processors
  • Payroll companies
  • Software as a Service (SaaS)
  • Third party administrators (TPA)

 

If your company interacts with the personal data of your client’s customers (e.g., financial transactions, personal identification information, or electronic health data), then you need to know–and your clients need to trust–that you’re safeguarding that data just as they would.

A System and Organization Control (SOC) report helps you understand any risks you may face as you steward your client’s data and whether your controls are sufficient. SOC reporting, developed by the American Institute of Certified Public Accountants (AICPA), provides the criteria CPAs use to evaluate the design and effectiveness of your systems and controls.

An effective SOC will do more than provide a level of assurance to your clients, it will help you improve your business. We understand how to work with small to mid-size companies and will tailor our advice to make sense for your size, structure and resources. Let WBL’s experienced team of auditors and accounting experts help you determine which type of report will best fit your need or those of your company’s clients.

  • SOC 1 focuses on your company’s controls over financial reporting to your clients.
  • SOC 2 focuses on your company’s controls relevant to five Trust Service Principles: security, privacy, availability, confidentiality and processing integrity of your client’s customer data. It is typically provided to a company’s clients, regulators or other stakeholders.
  • SOC 3 is similar to SOC 2 in that it provides the auditor’s opinion on whether your controls meet the five Trust Services criteria, but it does not include detailed descriptions of the tests performed or your systems and is suitable for sharing with any interested party.