Service Organization Controls (SOC) 2: AT 101 Services

Auditing Internal Controls: Type 1 & 2 SOC 2 Reports

 

When a company seeks to provide its clients with assurance of its controls that do not affect its clients’ internal control over financial reporting, a SOC 2 report is the logical choice for auditing internal controls.  For example, many companies are asked to demonstrate their controls over privacy and security of healthcare or financial information.  Previously, an organization was asked to produce a SAS 70 audit which was the incorrect reporting format.  A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm which opines on an assertion from management of the service organization.  
 
Many organizations that were subject to a SAS 70 audit but their controls are not likely to affect their clients’ internal control over financial reporting are turning to a SOC 2: AT 101 Services to meet their contractual obligations.  This allows the service organization to demonstrate to its customers its controls through a detailed report similar to an SSAE 16 report.   A SOC 2 report can be based upon criteria established by management, third parties or industry standards.  The criteria must meet the following basic characteristics:
 
  • Objectivity
  • Measurability
  • Completeness
  • Relevance
 
Organizations may choose to use the criteria for SOC 3 / Trust Services engagements, their own privacy statement, or best practice standards such as ISO. 
 
 
Type 1 SOC 2 Report
A Type 1 SOC 2 examination provides for a report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of controls in meeting the applicable criteria.  
 
Type 2 SOC 2 Report
A Type 2 SOC 2 examination provides for a report that is the same as a Type 1 report but also includes (1) the service auditor's opinion on the operating effectiveness of the controls in meeting the applicable criteria and (2) a description of the service auditor's tests of the operating effectiveness of the controls and the results of those tests.  
 
SOC 2: AT 101 Services and Deliverables
A-lign can perform a SOC 2 examination which can comprise the following deliverables for management:  
 
  • A-lign’s opinion on management’s assertion
  • Management’s assertion
  • Management’s description of its system and criteria used
  • A-lign’s tests of operating effectiveness and the results of those tests (Type 2 SOC 2 Reports only)

For a free phone consultation for auditing controls, submit the short form to the right, or call 1-888-702-5446 today. 

For a free phone consultation complete this short form

*Required fields