Service Organization Controls and Their Importance for a MSP

Start Here

Get in touch with a
TriCore Solutions specialist

Blog | Sep 10, 2015

Service Organization Controls and Their Importance for a MSP

SOC reports are a mechanism for customers to build trust while outsourcing business services. TriCore has achieved new SOC 1 and SOC 2 reports.



SOC_AICPAThe goal of this blog is to teach you a few things about Service Organizations Controls which are more commonly known as SOC in the business world.  Statement on Standards for Attestation Engagements (SSAE) No. 16, is an attestation standard issued by the American Institute of Certified Public Accountants (AICPA), which is dedicated towards addressing reporting on the implementation and operational effectiveness of MSP’s controls. SOC is a reporting framework developed by AICPA.

Let’s get further into the nitty gritty of the topic and why TriCore is observant of these mandates as an IT organization. 

What is SOC & how does it impact service delivery? 

We, at TriCore, are deeply committed to keep our ‘Trusted Promise’ to deliver unparalleled service and superior technology and skilled people. As a Managed Service Provider (MSP), we ensure that our customers have secure and systematic channels for data delivery and management. Current business models rely heavily on our ability to demonstrate the implementation and effectiveness of our processes/controls to ensure seamless security and gradual service improvements.  

What is the Importance of SOC reports?

SOC reports are a mechanism for customers to build trust while outsourcing business services. SOC reports are independent reports with detailed information about the design and effectiveness of systems thereby improving commercial recognition and business performance. 

TriCore has achieved new SOC 1 and SOC 2 reports. The audits for these reports were conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). These reports attest that TriCore’s controls program is appropriately designed and defined in a manner to safeguard customer data effectively over a period of time. 

SOC Flavors 

What is SOC 1? It reports on controls at a service organization level relevant to a user-entity’s internal control over financial reporting. It evaluates the effects of our internal controls on our customers’ financial statement assertions. 

What is SOC 2? This provides an assurance or an opinion on the level of trust that user-auditor and user-organization can derive from the system that the service organization has deployed measures that effectively mitigate operational and compliance risks. It provides comprehensive assurance for security, availability, processing integrity, confidentiality and privacy controls. 

What is SOC 3? This is a trust report, which is similar to SOC 2, but is less detailed. For example: Companies that use a business partner to perform part of their operations for selling goods via the Internet often find that their customers are concerned with the privacy of the information they provide to the company and the business partner. As customers would like assurance on how the privacy of that information is being managed and processed, the business partner service organizations can use a SOC 3 report to address these concerns. 

The above assessments are annual. An internal audit is performed by the Compliance team in the months of April and September, followed by external audits by our certified public Accountant.  - Moody, Famiglietti & Andronico, LLP (MFA) in October. 

Demand for SOC reports from customers are expected to increase in the coming years due to growth in the cloud computing space.

ISO 27001

ISO 27001 is a risk based framework for establishing, implementing, and improving an organization's ability to maintain an effective Information Security Management System. Increasingly we are seeing a trend where organizations are using both ISO-27001 and SOC2 to demonstrate their commitment to information security.

TriCore plans to undergo the implementation and audit for ISO27001 starting early next year.

In case of any suggestions please write to