This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?
Should U.S. Public companies using outsourced services for ITO and BPO request both an SSAE16 SOC 1 and SOC 2, or just a SOC 2?
Answers
It depends on the focus of the outsourced services. If the services impact your organization's Internal Controls over Financial Reporting (ICFR) then you shoud request a SSAE 16 (SOC 1) report. If the services relate to the Trust Services principles then you should request a SOC 2 report. If services cover both ITGC and Trust services principles then the service
Filed Under:
Accounting