“In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make service organization control audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.”
American Institute of Certified Public Accountants
Service Organization Control ("SOC") 1 and SOC 2 audits (formerly Statement on Auditing Standard (“SAS”) No. 70) audits are being demanded by more and more companies being impacted by the Sarbanes-Oxley Act of 2002, the Health Insurance Portability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act of 1999. SOC reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not authorized users of the reports but still use the report as third party independent verification that controls are in place and are operating effectively.
However, all SOC audits are not created equal. While all companies providing SOC services follow the same AICPA guidance, (SSAE 16 for SOC 1 and Trust Services Principles Section 100 for SOC 2) approaches to conducting the audit can differ significantly. GCPA has developed an extensive internal controls database across multiple industries and information system platforms that enable us to streamline our engagements and customize our engagement framework to meet the specific needs of our clients. Our experience within multiple industries facilitates our understanding of your business processes. We can then assist in developing specific control objectives and control activities that provide assurance that all critical business processes are identified, analyzed, and tested.
Our primary SOC expertise is within the printing and marketing industry, data center co-locations, and Internet-based companies. These companies primarily partner with financial institutions to provide statement rendering or IT support and are therefore being asked by these financial institutions to provide a SOC 1 and/or SOC 2 report. Sarbanes Oxley has dictated the internal control requirements for financial institutions that are now extending to their service providers.
At GCPA, we fully appreciate the challenges of managing the increase costs of doing business, understanding that all SOC costs cannot be passed on to the customer. We focus on reducing these costs while providing companies with opportunities to grow their respective markets.