more-arw search

Q&A Forum

Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Answers

Topic Expert
Mark Hurst
Title: Director of BAS
Company: Hein and Associates
(Director of BAS, Hein and Associates) |

It depends on the focus of the outsourced services. If the services impact your organization's Internal Controls over Financial Reporting (ICFR) then you shoud request a SSAE 16 (SOC 1) report. If the services relate to the Trust Services principles then you should request a SOC 2 report. If services cover both ITGC and Trust services principles then the service auditor is required to issue two separate reports.

1825 views
Topics

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.