Service organizations control reporting: Beyond financial reporting
Service organizations are receiving an increasing number of requests for assurance regarding the effectiveness of the controls over their information technology environment. Previously, organizations provided a SAS 70 controls report to meet these demands, but this report focused more on financial reporting controls than operational and compliance risks.
In response to the requests for assurance beyond financial reporting risks, the American Institute of Certified Public Accountants (AICPA) has established a series of options for the reporting of controls at service organizations, known as service organization controls (SOC) reports (SOC 1, SOC 2 and SOC 3).
This white paper focuses on the SOC 2 and 3 reports, which provide operational and compliance assurance. The reporting process can be complex, but the end result is more accurate information regarding the design and effectiveness of your internal controls.