System and Organization Controls Reporting

SSAE 18 – SOC 1, SOC 2, and SOC 3

As companies search for an effective approach to outsourcing business processes, cost is not the only key factor to consider. Today, service organizations are under increasing pressure to provide greater transparency to their customers on the effectiveness of their internal controls over the processing, storage and security of customer data. Depending on the services being delivered, service organizations must choose what information is relevant to their clients (financial reporting, security, availability, processing integrity, confidentiality or privacy), and choose the means of reporting to minimize inquiries and requests for audits from those customers.

One way for a service organization to communicate the strength and reliability of its internal processes is by getting an independent audit of the services it provides to customers. Although not mandatory, the audit report serve as an independent verification of the service organization’s internal processes. Clients and others are continuing to expect these critical verification processes in order to maintain a competitive advantage. The benefits of these examinations are realized by the service organization as well as the customers receiving the services.

BPM provides three different types of SOC reports:

  • SOC 1: Financial Reporting
  • SOC 2: Security, Availability, Processing Integrity, Confidentiality or Privacy
  • SOC 3: Trust Services Seal (WebTrust/SysTrust)

Related Services