SOC Banner Image.png

Organizations that perform outsourcing services are often asked by their clients to provide assurance over their internal control environment.  This is typically accomplished through a System & Organization Control (SOC) examination, which is a report designed to provide assurance over the internal controls at a service organization. Our team has significant experience performing SOC examination services to a wide variety of industries, including benefit administrators, financial services firms, insurance providers, software companies, technology companies, and professional service firms. SOC requirements can be overwhelming for an organization new to this endeavor.  We pride ourselves on making the process seamless and providing value-added education throughout the engagement.

AREAS OF FOCUS

+ SOC Readiness Assessment

Insyte offers SOC readiness assessment services for our clients that are wanting to pursue a SOC examination for the first time. This helps identify potential gaps the company can address prior to beginning the formal SOC examination. We know our clients do not like “surprises”, so a readiness assessment is the best approach for early identification of potential issues. As a part of the SOC readiness assessment, we provide specific control recommendations and are also available to discuss any questions with management.

+ SOC 1 Engagements

SOC 1 engagements examine a service organization’s controls related to items material to financial reporting. Some examples of companies that may require a SOC 1 report are outsourced payroll providers, claims processors, employee benefit administrators, certain software companies, etc. SOC 1 reports are unique to each service organization as they are based on the individual organization’s key controls relative to the services provided. While company management owns and must assert that the system description and control objectives identified within the SOC report are fairly presented, our role is to ensure our clients understand their responsibilities and that key controls are appropriately identified, tested, and reported for their user entities.

+ SOC 2 and SOC 3 Engagements

SOC 2 and SOC 3 engagements are related to non-financial reporting controls. Instead of focusing primarily on specific financial transactions, these engagements cover, at a minimum, one of the five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, or Privacy. The principles covered in these engagements can apply to nearly every service organization. Both SOC 2 and SOC 3 engagements use predefined criteria and illustrations which guide the internal control expectations. The primary difference between a SOC 2 and a SOC 3 report is report distribution and content. A SOC 2 report is a restricted use report that provides the service auditor’s opinion on the description of the service organization’s system, as well as a description of the tests of controls and test results performed by the service auditor. A SOC 3 report is a general use report that provides only the service auditor’s opinion on whether the system achieved the trust services criteria.

BENEFITS TO OUR CLIENTS

  • Opportunity to complete a readiness assessment to identify and correct control gaps prior to the formal SOC examination.
  • Differentiation of an organization from its peers by demonstrating the establishment of an effective internal control environment.
  • Value-added process recommendations that are generally identified during our SOC engagements.