Service Organization Controls

Does your organization outsource certain business tasks or functions – including those that may be integral to your entity’s operations?

If so, you understand that the risks of the service organization – such as providing incorrect information to a user entity or compromising the privacy of a user entity’s information – inevitably become the risks of the user entity as well. How do organizations mitigate this risk? By engaging Tidwell Group to examine and report on a service organization’s controls over the services provided to user entities, service organizations can obtain an objective evaluation of the effectiveness of their controls. They can also meet the assurance needs of their user entities including assurance about the entity’s system controls:

  • Over financial reporting
  • Employed to protect the privacy and confidentiality of users’ data
  • Concerning security, availability and processing integrity

Service Organization Control (SOC) engagements have become the gold standard for examining, assessing, and reporting on these controls. Tidwell Group takes this standard very seriously and aims to continually position itself as the premier provider of SOC reports for service organizations who aim to deliver assurance about system controls to its users.

How Can Tidwell Group Help?

Tidwell Group has provided clients with solutions by assisting them in examining, assessing and reporting on system controls.

  • SSAE 16/SOC 1 Reports:

SOC 1 is a restricted use report on a service organization’s description of its internal controls over financial reporting. The report includes a detailed description of the service organization’s system, the service auditor’s opinion on the fairness of the description, suitability of design, and in a type2 report, the operating effectiveness of controls for the reporting period.

  • SOC 2 Reports:

Designed to provide management of a service organization, user entities, and other specified parties with information and a CPA’s opinion about controls at the service organization relevant to the security, availability, or processing integrity of a service organization’s system or the confidentiality or privacy of the information processed by that system.

The report includes a detailed description of the service organization’s system, the service auditor’s opinion on the fairness of the description, suitability of design of the controls to meet the applicable trust services criteria, and in a type 2 report, the operating effectiveness of controls for the reporting period.

Ed Wetherington, Jr. CPA

Assurance Partner