Assurance services | System & Organization Controls (SOC)
What was known as Service Organization Controls now more appropriately termed "System & Organization Controls" reports are used widely by entities using a service organization to help establish trust and confidence in the service organization.
As an outsourcing service provider, there are a number of ways to assure your customers and other stakeholders of your control environment. However, the widely accepted way is to issue a System & Organization Controls (SOC) report.
What are the Standards?
A SOC engagement may be performed under the SSAE 18 standard for US entities. Alternatively, a more globally accepted standard ISAE 3402 is used in the case of IFAC member bodies. Since the Financial Reporting Council has adopted the IFAC standards in Bangladesh, ISAE 3402 for SOC reporting is generally used.
What are the nature and type of reports?
The most typical SOC reports are SOC 1 and SOC 2; thus, it’s crucial to comprehend their distinctions. SOC 1 and SOC 2 differ in that SOC 1 is more concerned with financial reporting, whereas SOC 2 is more concerned with compliance and operations.
SOC reports are of 2 types:
Type 1 report provides assurance on the design and implementation of controls on a certain date.
Type 2 report provides assurance on the design, implementation and continuous effectiveness of controls during a certain time period, usually one year.
What is an ISAE 3402 attestation?
International Standard on Assurance Engagements 3402 (ISAE 3402), titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.
Which SOC reporting Framework is right for your service organization?
