Service Organization Control Series Part I: Effective Use of SOC 1

Service Organization Control

Service Organization Control reports allow companies to outsource to a service entity various duties and responsibilities that are relevant to their business, including functions that are essential to their daily business undertakings. In effect, the organization is able to minimize its costs while increasing its core competencies. However, the American Institute of Certified Public Accountants reported that each time user entities outsource tasks from service organizations, the service firms’ risks also become the user entities’ risks. The increasing demand for outsourcing, and the risks associated with it, has led to a more formalized system of monitoring and supervising the processes of service organizations in the form of Service Organization Controls (SOC) reporting. Through this framework, service organizations can now acquiesce and satisfy the demands for assurance of user entities and the user auditors who utilize these reports when assessing and evaluating the user entities’ financial statements. Among the Service Organization Control reports is Service Organization Control 1, which is released for activities that adhere to the Statement on Standards for Attestation Engagements No. 18 (SSAE 18).

Objectives of Service Organization Control 1

The primary purpose of Service Organization Control 1 is to report controls, which are pertinent to the user entities’ internal controls over financial reporting. In addition, SOC 1 intends to establish trust and confidence with the service organizations’ clientele. Having SOC 1 reports is useful, not only for user entities but also for service organizations in determining the quality of services the service organizations provide. However, the use of SOC 1 report is limited to the management, their clients, and their clients’ auditors; hence SOC 1 cannot be employed as a marketing document (e.g. displaying a Service Organization Control 1 report on the service organization’s webpage as a “seal of approval”).

Choosing Service Organization Control 1

Since there are three Service Organization Control reporting — SOC 1, SOC 2, and SOC 3 — to choose from, ensuring that the appropriate reporting option will be used is important. Service Organization Control 1 is only fitting if the service organizations’ clients and their auditors will utilize it in both planning and conducting a financial statement audit.

Data Center Providers and Service Organization Control 1

According to Chris Schellman, President and Founder of BrightLine, data centers either preferred using SOC 1 reports or have conjugated SOC 1 report with SOC 2 reports. Contrary to beliefs and hearsays, data centers are not restricted to go for SOC 1 reporting as long as they host systems that are pertinent to the internal controls over financial reporting of user entities. Apparently, this has raised some eyebrows since some people believe, and consider, that hosting services has no relevance to the said matter. However, this is a claim that has been totally debunked by an AICPA.

User Entities and Service Organization Control 1

Generally, SOC 1 is a way for auditor-to-auditor communication. Further, it is a means for service provider-to-customer communication. As such, user entities can utilize SOC 1 report in furthering their understanding and grasp of the controls that are devised and realized by service organizations. Furthermore, user entities can employ these controls as a model in planning and administering their own controls.

Employee Benefit Plans and Service Organization Control 1

Significant and substantial information related to authorization of new accounts, security of data, and marketing of investments, among other things, are disclosed in a SOC 1 report.

With SOC 1 reports, planners within management examine and check their controls and ascertain if these controls are functioning or otherwise. More so, they will be able to determine the deficiency of the controls and examine the feedback or reactions of the service providers. In effect, management can create a resolution and assess if switching to a new service provider is ideal and necessary.

Service Organizations and Service Organization Control 1

SOC 1 reports are ideal for service organizations that provide financial transaction processing or support transaction processing system. Herein, the primary focus of SOC 1 is on financial reporting risks and internal financial controls. The evaluation period is usually one year for SOC 1, although this can be less depending on the situation and the areas under assessment. Service Organization Control 1 covers accounting records, classes of transactions, procedures for processing and reporting, and other data relevant to processing and handling user transactions.

Security Concerns and Service Organization Control 1

A SOC 1 report will inform the users that the system is protected and secured against unauthorized access- and that all confidential information will remain disclosed. In addition, SOC 1 report will specify whether or not the service provider adheres to an entity’s privacy notice.

Conclusion

From the perspective of the business doing the outsourcing, a Service Organization 1 report is a necessity with regards to financial auditing and will most likely be requested by the accounting firm. Furthermore, Service Organization Control 1 reports will allow an entity to closely monitor its vendor to ensure that the entity is receiving quality services. Moreover, a Service Organization Control 1 report will allow the entity to evaluate and assess risks associated with outsourcing and is not only confined to its financial transactions but also extends to other important business functions. Service Organization Control 1 is undoubtedly an important risk assessment tool for the user and is a way to hold the service organizations accountable when it comes to providing the services agreed to.