Government & Public Sector

SOC 2 and Subservice Organizations

SOC 2 AND SUBSERVICE ORGANIZATIONS After a review of the new SOC 2 guide, Reporting on Controls at a Service Organization, I noticed that the responsibilities of the service auditor, service organization and subservice organization all seem to have increased when it comes to how subservice organizations may be considered / treated under the new standard.  Trying to get all three parties on the same page is a daunting feat in itself and I wanted to take a moment to share some of the highlights. The inclusive and carve-out method can still be used for subservice organizations just as in SOC 1.

Read More


ADVANTAGE TO THE COLLECTIONS INDUSTRY – AGENCIES, ATTORNEYS, VENDORS, CREDITORS AND ASSET BUYERS The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization's internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.

Read More