The Need for Service Organization Control Reports (SOC)
Due to increasing internal-control breakdowns (for example, security and privacy breaches and frauds) and increasing regulatory focus on internal control by public and private companies, many companies are increasing their due diligence efforts and requiring Service Organization Control Reports (SOC) before selecting service organizations. In addition, management of companies contracting with service organizations are responsible for assessing and addressing risks related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. Although management can delegate tasks or functions to a service organization, the responsibility for the service provided to their customers cannot be delegated. Consequently, management is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.
To achieve assurance over a service organizations relevant internal controls, management may ask the service organization for a CPA’s report on the design and operating effectiveness of controls over the service organization’s system that may be relevant to
- the user entities’ internal control over financial reporting (ICFR).
- the security, availability, or processing integrity of the system or the confidentiality or privacy of the information processed for user entities.
User entities that would like to undergo a SOC 1, SOC 2, or SOC 3 engagement may find it helpful to look for firms with this SOC logo displayed on their website.
SSAE 16 Service Organization Control Report (SOC 1)
SOC 1 engagements, which were previously performed under Statement on Auditing Standards (SAS) No. 70, Service Organizations, are now performed under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801). SSAE No. 16 replaces the guidance previously contained in SAS No. 70 for service auditors reporting on controls at a service organization. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are used in an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to management of the service organization, user entities that are customers of the service organization, and user auditors. These reports are not intended for use by others (for example, as a marketing or sales tool for potential customers).
Service Organization Control Report (SOC 2)
SOC 2 engagements address controls at a service organization related to the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by that system. Use of a SOC 2 report is restricted to management of the service organization and other specified parties named in the report who have sufficient knowledge and understanding of the matters identified in the report. Examples of such parties might be regulators and potential user entities with the knowledge specified in the report. The report may be a type 1 or type 2 report, similar to a SOC 1 engagement. The report is applicable to scenarios including: cloud computing, managed security, financial services customer accounting, customer support, sales force automation, health care claims management and processing, and enterprise IT outsourcing services. SOC 2 engagements use the predefined criteria in Five Trust Services principles (TSP section 100) are as follows:
- Security – The system is protected against unauthorized access (both physical and logical)
- Availability – The system is available for operation and use as committed or agreed
- Processing integrity – System processing is complete, accurate, timely, and authorized
- Confidentiality – Information designated as confidential is protected as committed or agreed
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice
Service Organization Control Report (SOC 3)
SOC 3 engagements address the same subject matter as SOC 2 engagements; however, use of these reports is not restricted. Anyone may use these reports, and they may be posted on a website under a seal that is associated with www.webtrust.org