SOC Services

Does Your Service Organization use SOC Audits?

Many businesses are doing at least part of their business online in an ever-changing internet atmosphere. Even very large companies have run into problems with their customer data being hacked and interfered with. It has become necessary to take steps to make sure internet customer data is being protected by security measures. Customers or prospective customers may ask for proof that a service company's data system has a protocol in place to protect their information. A Service Organization Control Report may be required by prospective clients.

What is a SOC Audit and Who Needs Them?

A Service Organization Control Report is an audit done by a special auditing firm employing experienced auditors, CPAs, and professionals with certifications for CITP and CISA. These professionals are trained and experienced with the specific reporting standards required in a SOC Audit. A SOC Report provides prospective clients and others doing business with a company assurances that a company's systems' controls concerning financial reporting, privacy controls, security, and systems integrity are whole. Clients will want assurance that the company's data security systems have kept up with changes that technology and the internet have introduced to the modern work environment.

Service companies that provide outsourced business services to other entities need SOC reports to show these clients that the data control environment is well defined and designed, then implemented effectively for security. This helps prospective clients to decide if it is safe to do business with a company. Fast growing companies in various industries that include health-care, construction, agribusiness, non-profits, manufacturing, and others may need this report.

To determine if a company needs SOC services, this checklist can be helpful. Does the company business warrant a SOC report, or will it be done just to please a prospective client? Will the business volume lost be larger than the cost of getting a SOC Reports? Does the company have a sufficient business process and IT controls in place? Have important stakeholders been included in the decision? Has the company decided if the controls in place are sufficient to affect the outsourced services the company provides?

Wher