Service Organization Control Series Part II: Basics of SOC 2

Service Organization Control

Service Organization Control allows outsourcing tasks or an entire function that can undeniably help a company to operate more efficiently and profitably. However, for financial and security reasons, it is important that user entities establish effective controls over any outsourced function. There are always risks associated with any outsourcing. Nevertheless, through close examination of service organizations such as cloud computing, security services, customer support, and claims and management processing, the user management can mitigate those risks and ensure that the services being received are quality.

Service Organization Control Reports

Developed by the American Institute of Certified Public Accountants (AICPA), Service Organization Control reports serve as quality assurance for both user entities and service organizations and are broken down into three separate reports — Service Organization Control 1, Service Organization Control 2, and Service Organization Control 3

SOC reports will show whether or not the internal controls are working effectively, provide further validity of the financial statement, present to the clients significant non-financial data, and demonstrate to the customers that the service organization is serious on maintaining the security and confidentiality of their data.

Scope of Service Organization Control 2 Reports

SOC 2 reports cover the broadest range of information and assurance about controls. Additionally, SOC 2 reports are meant to be used as a tool by the management and shareholders in assessing the controls of a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. The predefined gauges in Trust Service Principles, Criteria and Illustrations, and the prerequisites and guidance in AT Section 101, Attest Engagements are used on SOC 2 engagements.

Service Organization Control 1 vs. Service Organization Control 2

Similar to SOC 1 reports, SOC 2 reports can be issued as either Type I or Type II. SOC 2 Type 1 report covers appropriateness of the controls while SOC 2 Type II report examines and verifies the efficacy of the controls. SOC 2 differs from SOC 1 based on the utilized professional standards, AICPA publications with regards to SOC framework, extent and subject matter, and also their intended users.

Elements of a Service Organization Control 2 Report

A SOC 2 report contains the description of the service organization’s system. In addition, the service auditor’s report in which the auditor expresses his/her opinion towards the integrity and propriety of the demonstration of the service organization’s system, the appropriateness of the controls’ design, and the efficacy of the controls are the other aspects that the SOC 2 report encompass.

For a Type II report, the auditor’s test of controls and the outcome of the tests are also a part of a SOC 2 report. Moreover, when privacy concerns are raised, the description of the service auditor’s tests of the service organization’s conformity with the engagements in its statement of privacy practices and the outcome of those tests are similarly included.

Benefits and Potential Drawbacks of Service Organization Control 2

SOC 2 reports contain a terse system description and the management’s attestation on its controls. Furthermore, the controls of the service provider and the auditor’s test methods and their outcomes are also included in the report. This, in turn, will let the readers of Service Organization Control 2 report to examine and evaluate the service provider more thoroughly. However, users may have to gather or acquire extra reports from trusted subservice providers to feel comfortable with their activies. Moreover, service providers may not be inclined to disclose the report on detail because of matters on divulging sensitive information.