Service Organization Control (SOC) Reports


The American Institute of Certified Public Accountants (AICPA) has replaced SAS No. 70 with three new reporting options for service organizations. These Service Organization Controls (SOC) reports have become the standard for a company's representation of services provided to their clients. Many organizations now require these reports in their bidding process and in their annual audit of service providers. Continuing relationships between a vendor and its customer may ride on the presence of a SOC report.


A service organization with a SOC report in hand is better placed to win business than its rivals without.

SOC reports are the product of external audit of internal controls within a service provider. The reports focus on several key control (trust) areas, including Financial Controls (SOC 1), Security, Availability, Processing Integrity, Confidentiality and Privacy (SOC 2 and SOC 3). There are differing strategies to attaining compliance with the AICPA standards. Certain aspects, though, are fundamental. First, illustrative controls applying to the trust criteria must be in place, then the external auditor must test for those controls and third the auditing firm must be willing to attest to the presence of the controls based upon the evidence collected. This is a process undertaken annually.


HWI Management Consulting has the experience and expertise to steer a service organization successfully through the SOC process. From doing an assessment analysis, to advising and managing the control creation through the negotiation with stakeholders and the external auditors, the HWI Management Consulting team has proven to be a capable partner to service organizations.