Hello, readers…this is the first in a series of educational blogs, intended to provide guidance and context to the business community and technology service organizations on the growing demand for CPA-provided reporting on business process and IT controls that manage and process critical – and often very sensitive – information belonging to others.

Some background about SOC and SSAE 16

First, let’s set the stage with a little background.  Service Organizations are companies that perform certain tasks or functions for other companies (“user entities”).  Essentially, these are the companies that we use to “outsource” work that we choose not to perform internally.  However, with each “outsourced” task or function, we increase the risk that the Service Organization may not perform the task with the same degree of accuracy and integrity that we would perform if we kept it internally.  Service Organizations understand that the user entities need to obtain assurances; however, the burden of answering questionnaires or participating in site audits from each of their customers can negatively impact their ability to function at a desired level both operationally and financially. In response to these risks and the Service Organizations’ desire to respond without succumbing to a never ending “audit”, the AICPA established specific auditing standards and guidelines which allow Service Organizations to engage a CPA firm to perform an audit of their service(s) and provide them with an Audit Report that can be distributed to the users.  The audit report is designed to provide pertinent information related to the service provided, as well as provide evidence verified by the audit firm that the controls the Service Organization has implemented are performed consistently and accurately.  As you should expect, undertaking an audit of this magnitude is not a task to be taken lightly nor without adequate preparation. Without proper preparation and readiness activities, a Service Organization can experience disastrous and costly results – including possible loss of prospective or active customers.  This series is intended to help you understand how to get ready for the SOC Audit (which also includes reporting under what’s termed “SSAE 16”) so that you can achieve success the first time and every time there after.

SOC – if it applies- are you “ready”?

“SOC Readiness Assessment?”  I know.  Assessment is a dreaded word along with audit, inspection, review, and half-a-dozen other similar words that we all like to avoid!  However, in this blog series, we’re going to explore how to an Assessment can be a very positive thing for your business. Over the next several months, we’re going to dive head first into the SOC world.  Whoops, there’s the first question.  What’s SOC?  SOC stands for Service Organization Controls.  Don’t worry if this still doesn’t mean all that much to you.  I promise that it will by the time this series of blogs ends. Now that we have a better understanding of Service Organizations, here’s a taste of what we’ll be discussing in our future blogs:
  1. SOC Primer – How do we know if we even need a SOC or SSAE16 audit?
  2. SOC Primer – SOC1, SOC2, SOC3, Type1, Type 2… Which is right for us?
  3. SOC Primer – What’s a Control Matrix?
  4. SOC Readiness – Critical Success Factors to Achieve
  5. SOC Readiness – Timelines, general path
  6. SOC Readiness – Impact on Internal Resources
  7. SOC Readiness – Self-service or using Consultants
  8. SOC Readiness – Pitfalls to avoid
  9. SOC Readiness – Impact of  Sub-Service Organizations, Inclusive vs Carve-outs


I look forward to beginning our journey together next time. See you in early August. Lynn McIntier, Sr. Manager Business Risk and Technology Services SingerLewak, LLP