Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Anonymous (Marketing Coordinator)

| Apr 21, 2011

This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Login or register to post comments
542 views

Topics:

Answers

Mark Hurst (Director of BAS, Hein and Associates)

Profile

Mark Hurst

Title: Director of BAS
Company: Hein and Associates

| May 5, 2011

It depends on the focus of the outsourced services. If the services impact your organization's Internal Controls over Financial Reporting (ICFR) then you shoud request a SSAE 16 (SOC 1) report. If the services relate to the Trust Services principles then you should request a SOC 2 report. If services cover both ITGC and Trust services principles then the service auditor is required to issue two separate reports.

For full access, login or register

Ask a Question

Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Answers

Related Content

Subscribe to our newsletter