System & Organization Controls
BMSS has considerable experience completing annual System and Organization Controls (SOC) reports. Formerly known as SAS 70 reports, SOC reports provide a framework for CPAs to examine controls and help management understand the related risks of outsourcing to a service provider. Building trust with customers and prospects is one of the many ways to benefit from an SOC report. The SOC engagement provides a “look under the hood” for the current or prospective user who typically uses multiple outside service providers and cannot audit each one. Companies benefit from the assurance that an SOC report provides, particularly if they rely on storing, processing or transferring private and confidential information. Having an outside review provides company management with the peace of mind to know that their controls and activities are functioning as expected.Download Brochure
How We Serve
- Perform SOC engagement so clients can propose on large opportunities
- Guide clients from an SOC Type 1 report to a Type 2 report
- Provide clients with examples and SOC case studies relevant to their industry
- Consult prior to SOC testing to identify gaps in need of correction
- Provide clients with a control matrix to aid in organizing control descriptions
SOC Report Comparison
- SOC 1 reports on internal controls over financial reporting are used by management and user auditors.
- SOC 2 reports on security, availability, processing integrity, confidentiality or privacy controls are used by management, regulators and others.
- SOC 3 reports on security, availability, processing integrity, confidentiality or privacy controls are publicly available to anyone.
Our team members have been performing SOC (formerly known as SAS 70) engagements for more than 15 years.
Public companies, which must answer to both investors and regulators, may be more likely to engage a service provider if the service provider has met the rigors of the SOC process.
- BDO SOC Roundtable
- Alabama Society of CPAs (ASCPA)
- American Institute of CPAs (AICPA)
- Information Systems Audit and Control Association (ISACA)