Service Organization Control Series Part I: Basics of SOC 1

Service Organization Control

Service Organization Control practices relate to a world of privacy breaches and fraud, where service organization control have come under the scrutiny of the government to ensure the confidentiality and integrity of user entities’ sensitive data.  Security and compliance are critical and it is important for service organizations to be able to demonstrate they are in compliance as well as to show the accuracy of their systems. That is why most service organizations choose to hire an independent CPA to examine and report on the controls within the business. These reports will be made in accordance with the Statement on Standards for Attestation Engagements (SSAE) 18 and will include three Service Organization Control (SOC) reporting options as set out by the AICPA.  The first of these reports, the Service Organization Control 1, can be very subjective as every service auditor is different.  However, it will show that the organization went through a rigorous audit of their controls following the AICPA’ standards for reporting in the case that a financial audit is performed.

How in Depth are Service Organization Control Reports?

The SOC 1 report focuses solely the service organization control efforts that are most likely to be relevant to the user entities’ financial statements. It is a means of financial reporting on the system of internal control.  The Service Organization Control 1 report is a restricted use report meaning it can only be used by the service organization, the user entity or service organization clients, and the user entities’ financial auditors. Again, the report is subjective and will not provide the company, user or auditor with a checklist of financial expenses, but rather a subjective third party opinion of quality and compliance with internal control over financial reporting.

Service Organization Control Type I

A type I report evaluates the policies and procedures in relation to a specific point in time. Was the control design effective and timely?  This report speaks to the fairness of management’s self-description of their system and whether or not they lived up to the contract made between entities.  It answers whether or not the design of the controls was suitable and did the service provider achieve the related control objectives by a specific date.

Service Organization Control Type II

A type II report is more detailed than a type I.  It includes both a report on the policies and procedures as well as tests of operating effectiveness for a period of at least six months. It provides a greater level of assurance than the type I report. A type I report outlines the service organization’s internal control system for the user entity and provides a description of the suitability of the design of the control environment for a specific time period.  A type II report provides the same information but with a more detailed inclusion of the operating effectiveness of the internal control system and the test controls used.

As cloud computing services become more widespread, Service Organization Control Reports will become more essential to verify that information is safeguarded. The general public has been bombarded by news stories of information leaks and compromise of customer and client information. Reassuring worries by having the necessary failsafes such as Service Organization Control will keep business moving and information safe.