Skip to main content
close search
site logo
Anonymous's headshot
Anonymous Agent

Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Asked on May 9, 2013

This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?

Answers

Mark Hurst's headshot
Mark Hurst Director of BAS • May 5, 2011

It depends on the focus of the outsourced services. If the services impact your organization's Internal Controls over Financial Reporting (ICFR) then you shoud request a SSAE 16 (SOC 1) report. If the services relate to the Trust Services principles then you should request a SOC 2 report. If services cover both ITGC and Trust services principles then the service auditor is required to issue two separate reports.

Want to join the conversation? Submit an answer or ask a question by emailing us at [email protected]

Submit an answer
Filed Under: Accounting
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell