Who Needs a SOC™ Audit?

There are many reasons why a service organization may decide to obtain a service audit report; here are some of the reasons we often see:

  • Customer requests
    • A customer requests a report because they are outsourcing a key business process and they need to understand the controls at the service bureau as part of their internal Sarbanes-Oxley (SOX) compliance program
    • Customer wants to understand outsourced controls as part of their internal vendor management/due diligence program
    • A large customer required this in their written contract (it is sometimes added when trying to make the sale)
  • The company is losing business to competitors because they don’t provide a Service Organization Control (SOC) report
  • The company realizes that they are getting audited by several companies during the year, which they could potentially eliminate with a SOC audit

Benefits of an Independent SOC 1, 2 or 3 Audit:

  • Instant credibility
  • Independent assessment of controls to give to customers annually
  • Potential to win more business (many companies require a SOC audit as a contractual obligation)
  • Reduction of third-party self-assessment questionnaires
  • One audit report to satisfy multiple customers

Examples of Organizations That Might Request a SOC Audit:

  • Cloud Hosting Service Providers
  • Technology Service Providers (TSPs)
  • Application Service Providers (ASPs)
  • Software-as-a-Service (SaaS)
  • Third-Party Administrators
  • Payroll Providers
  • Professional Employer Organizations (PEOs)
  • Collection Companies
  • Data Center and Co-lo (co-location) Services
  • Managed Service Providers
  • ACH Processors
  • Health Care Claims Processors
  • Prescription Benefit Management Service Providers (PBMs)
  • Financial Services Technology Service Providers (e.g., remote deposit capture service provider)

Services We Provide:

  • Readiness Services – Which audit is right for your customers? Do you have the right controls in place for a successful result?
  • SOC 1 and SOC 2 Audits – Either for a point in time (Type I) or covering a period of time (Type II).


©2017 All Rights Reserved.
connect with Sikich
  • Facebook
  • Twitter
  • LinkedIn
  • You Tube
  • Google+
Sikich LLP.

power by HYPERONIX