Recent Updates to Service Organization Control (SOC) Audit Reports by J. Stephen Nouss, CPA

Posted on October 23, 2017 by Steve Nouss

As more businesses outsource operation-critical applications and services to third-party providers, they demand assurances that the vendors with whom they choose to work abide by the highest levels of security, availability, processing integrity, confidentiality and privacy requirements. They need to know that their partners’ offerings provide a solution for improving business processes. In today’s environment, they also need confidence that their partners have in place the appropriate controls to manage data security, compliance and regulatory risks. After all, if a business customer’s confidential data is exposed due to a security breach at the service organization level, it is the business that will be held responsible and risk loss of customers and reputation.


To help service organizations build trust among its business partners, many are turning to independent CPA firms to audit and prepare formal reports about their Service Organization Controls (SOC). These SOC audit reports demonstrate that service providers employ best practices for monitoring controls and managing risks in a changing business environment. For example, the reports are applicable to software as a service (SaaS) cloud-based applications; cloud computing and data storage; payroll processing, billing and collection services; as well as financial institutions and health care providers that must abide by customer confidentiality and data privacy provisions of the Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA), respectively.


While the American Institute of CPAs (AICPA) created the SOC framework some time ago, it adopted new guidance in May 2017 to replace the previous “Statement on Standards for Attest Engagements” (SSAE 16) in favor of a simpler SOC 1 report on “Concepts Common to all Attestation Engagements” (SSAE 18).  By consolidating multiple attestation standards that clarify the assurance services provided by independent CPA firms, the new guidance includes the following principles:






SOC reports will continue to address the AICPA’s Trust Service Principles of security, availability, processing integrity, confidentiality and privacy, and provide businesses with assurances that service providers have in place good internal controls around the interrelated components of the control environment, risk management, information and communication, monitoring, and control activities. Additionally, SOC examinations provide service organizations with an opportunity to enhance their business processes and ensure that they meet industry best practices. The three types of SOC reports include:





Berkowitz Pollack Brant’s Business Consulting Group is registered with the AICPA to provide service businesses with SOC audits and reports that help improve transparency and build trust among service organization’s current and prospective customers.


About the Author: Steve Nouss, CPA, is chief consulting officer with Berkowitz Pollack Brant, where he provides profit-enhancing CFO services, operational reviews, enterprise risk management, internal audit and anti-fraud services for businesses of all sizes.  He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or via email at